The recent hacking scandals at Sony, CENTCOM and eBay show that even the biggest companies, which invest millions on security, are susceptible to savvy hacker attacks. It’s not just companies cybercriminals come after: ‘the Snappening’ saw celebrities turn crimson-faced after intimate snaps were leaked for all to see. Small businesses often assume they will not be a desirable target but is it a risk worth taking?
Many small businesses work with larger companies and therefore act as a gateway to hacking larger firms. SMEs are also at a higher risk to cyber criminals because their budgets for security are generally much lower and this makes their valuable IP, trusted customer information and any patented innovations more accessible. As cybercriminals become ever more sophisticated, small businesses need to be aware of the security breaches their company might be subject to or face losing everything in the event of a hack. How can you prevent and protect your business from digital thieves?
The first thing businesses of any size need to consider is that hacking is a real threat: high-profile attacks in the past year have put many businesses on red alert and as more is learnt about the nature of major hacks, the more up-to-date security protection will be for businesses. Having the most recent security depending on the nature of your IP and content is crucial, particularly for businesses handling customer data and confidential information. Under the Data Protection act, customer data must be kept safe and secure, and in the case of a hack “if you have no security options in place at all, you are liable,” warns David Cook, data security solicitor at Slater & Gordon.
Security should be a top priority and every employee within the company should be briefed on security risks to devise a breach plan. Staff could be the weak link in a company’s security and could be individual targets for hackers. Employees should learn how to spot malicious scam emails, protect any devices brought from home and implement strong passwords.
One of the easiest routes for a cyber criminal to enter your system or device is quite simply by guessing your password. Guessing a password can be as simple as 123 – literally as research from SplashData, an online security firm has shown. Its astonishing data about the worst passwords named ’123456’ as the least secure, with ‘password’ coming in a close second. Businesses need to make staff aware of their online presence and make sure that passwords used for work devices and emails are different and cannot be easily guessed using personal information from social networks. Baby names and favourite colour are also a no-no.
Just as we love tweeting and instagramming about our dinner last night, hackers are also getting in on the social media act. Frequently, hackers mine information from social media and collect data about an individual by analysing their behaviour over a period of time to subtly breach their network. “For example, a hacker may collect data from social media profiles about the extra-curricular interests of an employee and then create a bespoke email from an authentic-appearing address with content that encourages the victim to click certain links when asked,” says Dr Laura Toogood, managing director of private clients at Digitalis Reputation. Cyber criminals are becoming increasingly cunning and by exploiting social engineering, can tailor hoax emails known as spear fishing, that will attract the target.This has occurred following the London Marathon, where hackers sent emails to employees congratulating them on their time and offering a free pair of trainers when clicking on a certain link. However, once the link was activated the hackers gained access to the internal systems of the organisation. “The email was so believable that there was a hit rate of over 50%,” says Toogood
The rise of home-working and flexible working has also led to a number of holes in companies’ defences. Any device accessed from an employee’s home should be adequately protected with the latest security as well as a strong password in the case of theft. What’s more, devices used outside of the office for work should be used only on secure networks – i.e. in the staff member’s home, not the local coffee shop. Attacks are often orchestrated by hackers waiting on open networks; once they have access to a person’s emails they can see when an invoice is due or a payment and set up a fake email that looks legitimate to provoke the person’s customer to pay without any hesitation. The money is then sent to third party bank accounts and customer information is shared on various networks. “Reclaiming money and losses from these often exotic bank accounts from places such as India, China and North Korea can be hard to recover when the emails appear to have been sent by you – it’s hard to prove it wasn’t,” warns Cook. This means that educating staff on using unsecure public networks and querying suspicious emails is vital.
The typical security breach tends to go unnoticed on average for a period of eight months with companies oblivious to intruders in their infrastructure. It is advised that businesses install a Security Information Event Management (SIEM) service, a big brother of sorts to watch over their infrastructure. “SIEM is effectively a CCTV on your network. Rather than you having to wait eight months to find out you have had a breach it actually tells you in real time that somebody is gaining access to your network that shouldn’t be there,” advises Daljit Paul, head of services at Network First. He also advises that customers employ ethical hackers to implement a vulnerability assessment on a company’s security. The UK and US have waged a cyber war against each other and penetrated each other’s national cyber defence strategies in a bid to prevent real hackers, vulnerability assessments give ethical hackers the chance to test a company’s security and point out any flaws.