[BreachExchange] 5 lessons small business should learn from recent cyber attacks

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jul 21 14:28:02 EDT 2017


https://thenextweb.com/contributors/2017/07/20/5-
lessons-small-business-learn-recent-cyber-attacks/

If the recent cyber attacks have taught us anything, it is that most people
are dangerously unprepared for them. Cyber security should be at the
forefront of virtually every industry yet it is often treated as an
afterthought.

Small businesses are in a particularly disadvantaged position. Even so,
many are unaware of the dangers they are already facing. The truth is that
an estimated 43 percent of cyber-attacks target small businesses, so there
are many lessons to be learnt here.

1.Attacks are random and unpredictable

Cyber-attacks cannot really be predicted, unless we are talking about very
specific targets which constantly come under fire. In regards to small
businesses, however, cyber-attacks do not have specific patterns and can
pretty much come at any point.

Let us take the WannaCry ransomware as an example. On 12th of May 2017,
within the course of a single day, the WannaCry ransomware was released
into the wild and managed to infect more than 230,000 computers worldwide.
In the end, the number rose to more than 300,000.

Even high-profile companies and organizations such as FedEx and the UK’s
National Health Service were victims of the attack. No one expected the
attack and if it wasn’t for the accidental hero who managed to stop its
spread, a lot more computers would have been infected.

You may be familiar with the phrase “eternal vigilance is the price of
liberty”. The phrase could easily be modified to “eternal vigilance is the
price of cyber-security”. When attacks are this random, they should always
be expected.

2.Do not assume you are safe

Nowadays, privacy is at a premium. Learning how to protect your privacy and
security is a vital skill. If you are a small business, you also have the
responsibility of protecting your users.

Perhaps the most common mistake by small businesses in regards to cyber
security is that they assume they will not be attacked. For instance, some
believe that they are too small to be of any concern to hackers.

This, however, is not always a correct line of thinking. In fact, plenty of
hackers specifically target small businesses exactly because they are
small. Hackers know that many businesses will not protect themselves
against cyberattacks and so they consider them easy targets.

Even security experts with years of experience and exceptional technical
expertise cannot predict when and where the next attack will strike. Any
business could be affected, particularly those who believe themselves to be
safe without actually doing anything about it.

3.Treat the cause and not the symptoms

Preventing a cyber-attack is a far more logical process than attempting to
treat its symptoms. For those affected by WannaCry, for example, there is
no good course of action: the encrypted files are not recoverable, and
paying the ransom is inadvisable and is extremely unlikely to have any
success.

As far as all cyber threats are concerned, prevention is vastly superior to
treatment. What prevention means, however, will vary widely across small
businesses, depending on how they wish to approach potential issues.

For example, many will be content with simply putting up security measures
in place and having a decent IT team to install security patches and other
defensive mechanisms. Others, however, will want to go a step further and
be proactive in their defense.

This might mean continuous monitoring to detect potential threats and
constantly testing their systems by making use of external cyber-security
teams. Of course, all of these can be expensive processes, so you will need
to balance your budget against potential threats.

4.Do not neglect security

This point is so important that it merits constant repetition. Security
should not be neglected for any reason, including budget-related concerns.
While it is certainly understandable that keeping an IT team or upgrading
equipment is a major hassle, neglecting security may well result in
catastrophe.

You may think that downtime is unbearable but losing important files or
having customer records leak is, without a doubt, a worse fate. Some of the
computers infected with WannaCry were still running Windows XP, for
example, despite the fact that extended support for the OS ended more than
three years ago.

Even those who were running newer operating systems such as Windows 7 had
neglected security for one reason or the other, resulting in unpatched
systems which were obviously vulnerable to the cyber-attack.

5.You may be a stepping-stone to something larger

If your corporate associated are huge enterprises and you hold data which
could be considered sensitive, or if your business has a way to access such
data or other important information, then assume you may be targeted soon.

While some large corporations will set up security for their smaller
partners, in the majority of the cases they expect their partners to take
care of such matters themselves. In fact, you may even be held responsible
if information is leaked.

Of course, these are matters that should be discussed and arranged with any
corporate partners you have, regardless of how big or small they are.
Protecting all data you have access to, however, should be standard
practice.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170721/6c55216a/attachment.html>


More information about the BreachExchange mailing list