Despite warnings from professionals and high-profile attacks, one of the biggest factors that lead to cybercrime in which SMEs suffer are the actions of their employees.
Human factors can be the weakest links in the cybersecurity of small business for a number of reasons. From not understanding what security attacks look like to not taking action to prevent the spread of an attack, increasing understanding around cybersecurity is vital to minimise the risk of a breach.
While every business owner prioritises physical security – locking office doors, filing cabinets and so on – the same level of care is not always in place when it comes to cybersecurity. In many cases, the necessary level of understanding just isn’t in place. With many cyberattacks are architected to work based on expected human behaviours, it’s more important now than ever for businesses to ensure their staff are given the training to minimise these risks.
Despite the number of reported attacks in the UK rising by 27% in Q1 of 2018, according to Beaming, the connectivity specialists, small businesses are still unprepared should they encounter a hack. By looking at the human factors creating this risk, small-business owners will be able to identify how their security can be improved.
Too small to be noticed?
For many small businesses, cybersecurity may not be treated as a priority because it isn’t considered key for the day to day running of the company.
In an interview with Avast Business, Doctor Lee Hadlington, associate professor of cyber psychology at De Montfort University in Leicester explained: “The person with three members of staff, a website and some online banking doesn’t see cybersecurity as essential. Business owners’ priority is profit [and] making sure they stay in business.”
Consequentially, small business might hope to fly under the radar or feel they are too small to be noticed. However, adopting an ‘it’ll never happen to me’ attitude is dangerous as owners will then have to face the consequences. With 42% of all UK businesses with more than 100 staff members having suffered a breach, the threat is very much real – and not for the reason you might expect.
While some sites are specifically targeted, one of the main reasons that the most prolific attacks succeed is because they aren’t targeting anyone. Instead, their aim is to hit everyone – big and small businesses alike – and to cause as much disruption as possible. WannaCry is an example where a cybercriminal exploited software vulnerability and the impact was wider than expected. For SMEs, security shouldn’t be about hoping they’re too small to be on the radar but understanding that many attacks aren’t actually targeted towards them.
Lack of awareness
Often, poor cybersecurity is the result of an error due to a lack of awareness or understanding. In many cases, the risk of an attack could be significantly reduced by implementing effective training for staff.
For instance, spear phishing attacks are still on the rise. These hacks aim to acquire data by appearing as a legitimate email, attachment or document and are entirely dependent on the user’s inability to identify suspicious activity. Unlike phishing, which is aimed at as many people as possible, spear phishing is often targeted at individuals and impersonates trusted senders to trick users into opening malicious software.
Despite warnings, not only are workers still having lax attitudes about cybersecurity and use weak passwords, they may also share these passwords and reuse them on multiple accounts. With the increasingly high-profile nature of cyberthreats, it would be reasonable to expect a changing attitude towards password security but that doesn’t seem to be the case.
Device management is becoming increasingly vital as the Internet of things becomes more prevalent. The number of devices attached to home and office networks is going to multiply resulting in more devices likely to be setup with default passwords. Unless awareness changes rapidly, each Wi-Fi enabled lamp or kettle in your office network is another weak point in your security.
While cybersecurity for SMBs will only be effectively tackled if every member of the team is actively involved, many employees take their lead from their managers. In other words, unless personal responsibility for security becomes a part of the company culture, the chances of staff taking on day-to-day responsibility for cybersecurity is likely to be slim.
Despite Crowd Research Partners’ 2018 Insider Threat Report revealing 90% of organisations feeling vulnerable to insider attacks and 50% having experienced one in the past year, the continued growth of the insider threat makes it clear that this is a potential blind spot for SMEs.
As more than 40% of the international workforce are likely to be mobile within five years, it’s vital that staff have received sufficient training. They must also agree to a bring your own device policy to ensure company data is secure no matter where it is being accessed. While a large number of incidents caused by human error are accidental and can be addressed through training, such as sharing documents over unsecure connections, there is also a significant risk of a malicious data breach coming from inside the company.
To avoid this type of risk, it is essential that business owners ensure that sensitive data is held in a location that is secure and restrict access to only the most essential users. Access for third parties should be given with caution and removed as soon as their work is complete. Similarly, access granted to former employees should also be swiftly revoked.
By taking on this proactive attitude in combination with staff training and strong passwords, businesses will be able to better protect themselves against insider threats.
What is the answer?
Cybercrime has to become something that is combatted as much with people as it is with software. The measures in place can only ever be as strong as the weakest link, which means that 99% protection is not enough. If one person is careless, it could result in an attack that negatively affects everyone involved with your business.
As cybercrime continues to evolve, it’s becoming clear business leaders should focus on educating their employees. By supplying regular training sessions, locking down sensitive data and developing a working culture of personal responsibility, there is a lot that can be done to better protect your company from the human factors behind cybercrime.