Security expert Emma Philpott has said: “There’s a lot of great talk, but most SMEs do nothing about cyber security. It’s shocking.”
The threat of cyber security is one that is very, very real to SME’s. In fact, despite the tales of the large corporations being victims of cyber-attacks – it appears its predominantly small- medium businesses that are being targeted. In 2015 a government report found that 74% of small businesses reported a breach in security.
Small businesses are often guilty of falling into the trap of feeling that they aren’t likely to be targeted due to their size and that hackers or cyber criminals couldn’t possibly be interested in what they do – but in reality, it’s the opposite that is true.
“Hackers prey on the knowledge that small businesses tend to have lower defences than larger organisations, usually due to lack of financial and human resources. By their very nature, thriving small businesses are innovative and niche, which again is very attractive to the bad guys who may be interested in customer data and intellectual property and know exactly how to pick out the weak targets.” Says Sarah Green from Training 2000.
With regards to the financial cost of cyber-attacks, it takes on average 2.3 days for a business to recover from a cyber-attack. Which doesn’t sounds like an excessive amount of time; but when you drill down to the monetary value of a standard business day, and how you would be unable to recover this, it suddenly begins to seem like a lot.
In reality, it only takes one person to be unaware of their movements and actions in the digital realm to make a business vulnerable to cyber criminals. If you rely on digital technology, then regular security awareness training should be high on your list of priorities, because as previously mentioned – you are not as safe as you think you are. Security training is there to educate all employees from intern level to board members on all of the ways that hackers are able to gain access to business and client data. It enables them to identify any risk, understand the courses of attack and how to prevent and limit any damage that could take place. It’s important that you understand that security awareness training should not exclude anyone in the business and that those in managerial and executives positions are more likely to be targeted due to their level of access, they may find themselves victims of persistent threats; they are also in position to champion security and keep it alive.
Ensuring that you have implemented sufficient anti-virus software, regularly backing up your system and appropriate firewalls go a long way to ensure you are protecting the business.
Unfortunately, new attacks are created each year and existing malicious malware and viruses evolve. Creating an environment that is ‘security aware’ could reduce your chance of being attacked. One of the most prevalent forms of cybercrime against a business and their assets is ‘social engineering’. This is where the cybercriminal will manipulate an individual into handing over a username and password, banking information or access to your computer in order to obtain the previously mentioned details. Because this is actually a much easier way for criminals to obtain your information and why security awareness is so important; knowing who or when to trust someone could be a potential lifeline for a business. Therefore teaching yourself, ad your staff ways and means of trusting a phone call, website, download or email is critical.
Creating and running an ongoing security campaign can serve to empower teams to recognise anything suspicious and report them as they occur, reducing any potential damage. Phishing emails are commonly used by hackers to trick users into parting with personal or security information, or as a route to infect a device. Having the ability to identify these emails means that other employees in the business can be warned about the threat and the source can be blocked.
As the trend of remote working and flexible offices increases, the level of security awareness need to too. It is likely that every employee is using a device that contains sensitive data and when outside of the traditional office environment, the threat of theft is apparent in both physical and digital forms. Stolen devices are a concern, but so is using public WiFi networks, where even an amateur hacker could navigate his way around various devices and the need for protection on mobile devices.
However, I must stress again that this isn’t a one off event and a security policy should be an integral part of your business that covers both security events and day to day processes within a business such file sharing and sending client information. To avoid potential new threats, training should be continued.
In conclusion, avoiding cyber-attacks and hackers methods is possible if a high level of education is maintained in any business, regardless of size and manpower. Negligent employees is one of the leading causes for of security breaches, so doing your utmost to ensure that a culture of security awareness is implemented and maintained will enable a business to avoid costly and crippling events.