While much of the headline news around cyber-attacks focuses on big business, this can be deceptive as 43% of all UK businesses suffered a data breach or attack in the 12 months between April 2017 and April 2018. The result of breaches can be devastating, especially for small businesses who may not have the level of resources to recover, and this is not just a UK issue. In the US, the National Cyber Security Alliance estimates that 60% of small and mid-sized businesses close within six months of being breached.
Small businesses may feel they are too small to be attacked, but regardless of size, companies still hold sensitive information relating to customers and clients, meaning any company could potentially be attractive to criminals.
But, a data breach can occur for reasons other than elaborate targeted attacks. So, what can SMBs do to protect themselves from internal and external threats?
Limit Access
Make sure that you know where all your sensitive data is stored and keep backups. Where possible, these devices should be kept separately from any others that are used by your company, and possibly on a separate network.
The implementation of GDPR legislation, which applies to both EU-based companies and those further afield that hold information on EU residents, has encouraged a more thorough look at what sensitive data is being held by companies and how it is being stored. In these cases, encryption is key to securing your data securely.
Access to sensitive documents or network controls should be restricted to only those who need it. This means keeping a close eye on access privileges, limiting them to the bare essentials and removing them should a staff member leave. The fewer access points, the smaller the chance of a data breach occurring.
Training
You could spend a fortune on the latest software, but you are still only as secure as your weakest link. The Ponemon Institute estimate that 48% of all breaches are caused by malicious or criminal attacks, which mean more than half are non-malicious and could be caused by something as simple as a weak password.
Training your staff on security essentials is vital to preventing a breach, and topics should include the dangers of opening attachments on unfamiliar emails. Avast Business’ Threat Landscape report has identified that spearphising campaigns using AI are far more effective than those made just by people, making the ability of your staff to flag suspicious communications more critical than ever. By teaching employees about phishing and other forms of attack, you can help to raise awareness of how easy it could be for a breach to occur.
Along with training, a clear cyber security policy should be in place outlining personal responsibility, protocol should suspicious activity occur, and processes for handling sensitive documents. This should be updated at regular intervals with enhanced training measures.
Secure your mobile office
The modern office is increasingly not restricted by four walls. Mobile working and access to the cloud have allowed a seismic change to occur, giving employees the opportunity to work from anywhere in the world, and it is a growing trend: 42.5% of the global workforce are expected to by mobile by 2022. While there are many benefits, this new way of working brings its own security issues. A bring your own device (BYOD) policy would allow staff to use their personal devices for work, but requires training on essential cyber security practices (for example, not using unsecured connections) in addition to in-house training.
As well as implementing a mobile working policy with staff, firewalls and virtual private networks (VPNs) are vital to make access to your network as secure as possible.
Secure your office
Make sure that your system uses an effective range of security software. Anti-virus software is vital for detecting threats early and is an essential element of a strong security setup, however it should be viewed as part of a group of defences. A strong firewall and VPN will also be required to secure your data and help to identify potential attacks early.
While your antivirus will update automatically, it is vitally important that all other software on your devices is patched as soon as new updates become available. Keeping all of your software up to date is simple, but it is a very effective way to ensure potential risks are significantly reduced. This is especially important for remote workers or staff operating under a bring your own device (BYOD) policy.
Establish a response strategy
According to the Ponemon Institue’s 2018 Cost of a Data Breach Study, companies that were able to identify a breach within 30 days saved more than $1million compared to those that took longer.
For this reason, a proactive attitude should be adopted regarding data breaches, which means preparing for the worst. No matter how well prepared your defenses are, you could still suffer a breach. A key part of a responsible security strategy is to prepare for this chance by producing a response strategy to minimise the potential impact of a data breach. This should include details of who needs to be alerted to any suspicious activity and a plan of action outlining how to protect your data.
Your IT staff should monitor activity on your network regularly to identify anomalies in the level of data being transferred. Unexpected spikes in data being sent or received can be a clear red flag of suspicious activity.
Holistic strategy
While technology certainly plays an important role, many options have a specific focus. What is required for a reliable security setup is a comprehensive approach that combines detection and monitoring of data, securing devices and ensuring that personnel are confident with their security responsibilities.
It is only by using a combination of strategies that small businesses can be sure that they are doing all they can to minimize risk and flag suspicious activity. Having an effective strategy will not only help to minimize damage if an attack occurs, but also builds customer and client confidence in your brand.
