Three quarters of SMBs are convinced their business is too small to be of any interest to cyber criminals
New research from Kaspersky Lab[1] reveals that the majority of smaller businesses do not believe they are at risk of a cyber attack, with 59 per cent believing the information they hold isn’t of any interest or value to cyber criminals at all. However, this most certainly isn’t the case. Due to the lack of awareness of these threats, the often overlooked human element and the limited security measures that may be in place, it’s becoming easier for cyber criminals to target small, local businesses.
The upcoming Local Business Week (12th – 18th March) serves to inform smaller businesses of the threats that currently face them and give them tips on how to deal with these. In line with this, David Emm, senior security researcher at Kaspersky Lab, offers practical IT security advice to SMBs, to raise awareness of the current threats to help reduce the chances of becoming a cyber victim and keep their business SAFE:
Stepping stone – Whether it’s a supplier, a partner or a customer, SMBs tend to have links to other, larger companies. With this in mind, cyber criminals increasingly target SMBs to get information which will enable them to access the larger company’s infrastructure. For example, if the SMB in question is a widget supplier to a big name, a cyber criminal can sneak into their system if insecure and steal information which will make it easier for them to gain access to the larger company’s infrastructure, putting both them and their associates at risk.
It’s true that if you hack a bank, you will get more financial gain than if you hack a local post office – but banks are also much harder to hack. If cyber criminals access enough smaller businesses, their gain could be on just as large a scale, or ultimately give them enough collateral to access a big organisation directly.
Awareness – Are SMB employees aware of cyber security? Do they know what to look out for? Phishing / spear phishing and watering-hole attacks are often used to trick staff into giving away confidential information, such as passwords and account details, which could help grant a cyber criminal access to the company’s infrastructure. This could enable the hacker to steal valuable customer and corporate data.
Another aspect of awareness is the ever increasing use of humans as part of the hacking process. Do you allow the contractor who visits your office each week to connect his USB stick to a company computer? Little do you know, this device could be infected with malware, ready to infiltrate the company’s system and steal valuable information. In a world where people are eager to help others, something so small can have an overall damaging effect.
Forecast – Small companies often lack IT support which keep an eye out for potential cyber threats. Larger companies tend to have IT managers, who would keep up to date with relevant security news, making them aware of the potential cyber threats out there. In smaller companies that lack this, it is important for all employees to keep their ear to the ground in terms of recent threats, and to get in third-party vendors and experts to educate their staff so all can keep an eye out for the tell-tale signs etc.
Forward planning is also an issue SMBs need to be aware of – do you have a recovery policy in place if you were to be hacked? How would you get your business back to a positive, secure and reputable place? Make sure all employees know they have a responsibility in terms of the company’s IT security.
Educate –It is vital to make sure all staff are educated on security policies, just as they are on health and safety issues. This is important in all organisations but in particular, for smaller companies. You need to demystify the issues, explain them in an easy to understand manner, use analogies if necessary; create a few simple top tips or do’s and don’ts for staff to follow and place posters including these all over the office. ‘This security strategy isn’t a one-off activity, like painting the office – it will need to be revisited on a regular basis to keep up with the security landscape and keep security issues front of mind. All SMB employees need to be responsible for security, especially with the number of personal devices being used for work.
If you would be interested in speaking with David, or need any further information on any on the above including statistics etc, do not hesitate to get in touch and we will be happy to help.
[1] Kaspersky Lab and Opinion Matters, carried out between 15/11/2013 and 22/11/2013.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.