With the recent news that a Dorset business had been locked out of its computer system by cyber criminals in a bid to blackmail the company for £120,000, it’s a timely reminder that businesses need to be vigilant about their online and IT systems security.
Many small businesses believe they will never be the victim of a cyber-attack, thinking that they don’t have any data worth stealing. The best way to think about it is that cyber security defence should be considered in the same way physical building security is, with effective mechanisms to prevent unwanted visitors from getting in.
Press reports detailing the cost of cyber-crime in 2017 state that the worst hit businesses spend in excess of £65K recovering from a breach of their I.T. systems. With new rule enforcement as part of GDPR, those figures can only be expected to rise substantially, especially in cases where quantities of confidential personal data have been stolen.
So, what are the hackers looking for? They want access to your sensitive data including intellectual capital, to cause embarrassment to your business or for bragging rights in the hacker communities. Because small businesses, in particular, may not necessarily have the budget or spend capacity that large corporates have to protect their I.T. systems, they become potentially lucrative targets for hackers.
Paul Marsh, from Dorset/Hampshire based I.T. security consulting business, SecQuest Information Security, sees examples of security lapses or misconfigurations on a daily basis during IT security assessment activities: “Typically, on a standard SME network, we find services configured with insecure settings that often don’t require any form of username or password for access. Password strength is one of the biggest offenders with people still using options like ‘Password1’ which is like an open door to a hacker. Other areas where we frequently identify weaknesses in are “home grown” web applications and mobile applications; both are often written without security being designed and built-in on day one. It’s a bit like building a Formula 1 car and then just before the race, deciding that adding brakes would be beneficial.
Attackers will also target staff in an attempt to get information out of an unsuspecting employee. A phishing scam can be delivered via a website, online service, phone call or text message where the hacker poses as a company or brand that looks credible. The repercussions of falling victim to a phish can include financial loss, or internal IT data and credentials being leaked to the scammer, resulting in business systems being compromised. There are limits to what technology can do to completely fix this but giving staff security awareness training in what a scam looks like is essential, together with informing them of the implications of the attack on the business.
The team from SecQuest recently followed staff into a building at lunchtime with no questions asked, planted a wireless access point in one of their boardrooms and proceeded to hack into their ordering systems from the comfort of their car park! Would your staff question unknown people in the building?
What are some simple steps that businesses can take to strengthen their security? Paul recommends the following:
- ensure that I.T. systems are regularly patched and kept up to date
- passwords should be appropriately complex and should be changed regularly (this includes legacy-user accounts that have existed for years)
- Firewalls should be properly configured and only allow access to the bare minimum for the business to operate effectively, following a least-privilege approach
- Review your systems at least one a year to identify gaps and help reduce security exposure
- Consider a professional full security assessment which identifies technical security risks and recommends remedial actions