[BreachExchange] Why SMEs shouldn't be putting cyber-security on the back burner

Mon Jul 25 18:46:42 EDT 2016

http://www.scmagazineuk.com/why-smes-shouldnt-be-putting-cyber-security-on-the-back-burner/article/510800/

Research published this month has found that many small firms are still not
doing enough to protect themselves. The survey by Barclaycard of over 250
small businesses found that just one in five rank cyber-security as a top
business priority, despite previous government research having found that
the average cyber-attack on a small business costs between £75,000 and
£311,000, including lost sales, business disruption and compensation pay
outs.

The myth that small and medium-sized businesses don't face a threat
couldn't be further from the truth. For a hacker, small and medium sized
organisations are seen as easier targets as they believe less is being done
to protect data. This data might be information about clients, customer
details, bank details or it might be as a way into one of your customers'
systems where you are linked through e-commerce, by email or in some other
way.

A 2015 HM Government report confirmed that 74 percent of small and
medium-sized enterprises reported a security breach. However, only seven
percent of small businesses expect information security spend to increase
in the next year.

Not all threats are external. In fact, many cyber-related losses suffered
by UK SMEs come from within, for example, when employees deliberately
misuse data. Sometimes the damage is unintentional, for example, when an
employee accidentally corrupts valuable data.

Ransomware affects both SMEs and individuals alike. Hackers are intelligent
– they do not ask for millions from their victims but instead ask for a sum
of money that is significant but acceptable to most people. Arguably, it
might be easier to target many SMEs and demand relatively small payments,
than target a large conglomerate and ask for a huge bounty.

The weak point is the user who clicks on links in emails or opens
attachments. This is when the vicious circle beings. Before paying the
ransom to get back to “normal” operations, just remember there are many
gangs out there who will share your information. The evidence that you are
willing to pay will quickly be passed around to other similar groups.

Brexit or no Brexit, the issue of cyber-security for small businesses is
made even more pressing by new European regulations aimed at protecting
customer data. The EU's new General Data Protection Regulation will come
into force in 2018 and could result in companies being fined up to €20
million or four percent of their annual turnover, whichever is greater, for
allowing any security breaches to compromise their customer data.

Taking all of this into consideration, what are some basic steps that SMEs
can take to better protect themselves?

Keep software updated: Download software and app updates as soon as they
appear. They contain vital security upgrades that keep your devices and
business information safe. Many instances of hacking have relied on
businesses not staying updated with software patches.

Make passwords stronger: Use strong passwords made up of at least three
random words. Using lower and upper case letters, numbers and symbols will
make your passwords even stronger. You could also consider using a password
generator. Why not develop a company policy on strong password practices?

Be vigilant with emails: Delete suspicious emails as they may contain
fraudulent requests for information or links to viruses. Unsolicited emails
often contain attachments or hyperlinks (particularly shortened links);
many phishing attacks attempt to trick you into opening a file loaded with
malware or to visit a site which runs malicious scripts on your computer

Install anti-virus software: Your computers, tablets and smartphones can
easily become infected by small pieces of software known as viruses or
malware. Install Internet security software like anti-virus on all your
devices to help prevent infection. Don't settle for free or ‘lite' versions
but go professional; spend a little bit of money, it's a wise investment.

Train your staff: Make your staff aware of cyber-security threats and how
to deal with them. For example, The Government offers free online training
courses tailored for you and your staff that take around 60 minutes to
complete. You can encourage staff by holding learning sessions – lunch and
learn for instance. Most security issues are based on ignorance, not
malicious intent. Assume staff don't know all the answers and give them an
environment to learn.”

Manage administrator privileges carefully: Avoid using an account with
administrative privileges for normal day-to-day activities and web
browsing. Accounts with lower privileges warn you if a programme tries to
install software or modify computer settings thus allowing you to decide
whether the proposed action is safe.

Don't store credit card data on servers: Into e-commerce? Consider using
somebody like PayPal to handle payment processing and avoid the need to
access customer's credit card details. Let your servers work for other
parts of the business and let somebody else deal with the financial
transactions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160725/705ee30f/attachment.html>