By Tim Stone, SMB & Distribution Director, EMEA at McAfee, part of Intel Security
If you are reading this article, you are likely to be the owner of a small business or hold a management position at a growing organisation. Although you have a million actions on your to-do list needing urgent attention, the fact that you have started reading an article on the topic of security suggests that this might be an aspect of your company’s operations you are currently in the dark about.
Think you’re safe — think again
Some small business owners — you might be one of them — will take comfort in the belief their operations are too inconsequential to attract attention from international cybercriminals. However, smaller companies have in fact become a preferred target for cybercrime largely because many lack the time, budget and expertise to put comprehensive security defences in place. They are also seen as much easier targets for cybercriminals than large multinational corporations, in part because many small and medium-sized businesses (SMBs) have only a basic notion of their network security risk.
In fact, nearly 62% of data breaches occur at the small business level according to Verizon Communication’s 2013 Data Breach Investigations Report. In many cases, attackers may target a small company as they manufacture something on behalf of a bigger company and can act as a point of entry to get the information they want. In fact, the trend of targeting SMBs is only increasing as is the cost of an attack.
To put this into perspective, according to the Department for Business Innovation & Skills, SMBs account for 99.9% of all private sector businesses in the UK, 59.3% of private sector employment and 48.1% of private sector turnover. It is therefore not surprising SMBs are increasingly falling victim to cybercriminals. The financial impact of these attacks is enormous for both the individual organisation and the wider economy. Statistics revealed by the Ponemon Institute in 2013 stated that UK businesses are suffering damages from cybercrime amounting to $3.2 million per year.
Technology the enabler, complexity the enemy
Today, IT networks at organisations of all shapes and sizes are much more complex than they were just five years ago and have grown organically over time. Frequently, they are made up from a combination of on-premises networks, mobile networks and cloud services.
Unfortunately, in many cases, internal security protection has not kept up with these changes. Think about your own situation: is business data moving onto mobile devices? Are employees using their own tablet computers to access internal business websites? Is financial or personal data being moved onto the cloud? If the answer to any of these questions is yes, then your traditional security controls are unlikely to be enough to keep your network and data safe. Endpoint security solutions are often viewed as a luxury, unnecessary expense by SMBs. Of course, it seems unnecessary until the price of losing customer data is calculated.
The endpoint space is evolving quickly, and business owners need to think about the risks of tomorrow, today. The protection you choose needs to offer scalable security, with better capability around manageability, multiple deployment methods and compliance. It’s necessary for the protection you choose to secure a rising number of devices with a superior protection over endpoint, web and email.
Best practice makes perfect
Cybercrime is a real threat that should not be ignored and as such, the below advice will help you get on track to implement an effective security policy suited to the needs of your organisation:
1. Update software: Make sure both software updates and antivirus programs are current. Malware is constantly evolving to take advantage of vulnerabilities in software, and so are patches and fixes that repair these weaknesses. However, these fixes are useless if updates aren’t applied.
2. Educate employees: Educate your staff to never open unknown attachments in emails or click on unknown links. It may sound basic, but web- and email-based threats are growing very quickly. In 2014, the McAfee Labs team found that 79% of UK businesses failed to detect at least one of seven phishing emails. Similarly, malware is a growing problem with attackers taking advantage of the popularity, features and vulnerabilities of legitimate apps and services. It is often said that technology is only as good as the people that use it -preventing behaviour that puts your systems at risk is key.
3. Effectively deal with remote workers: Small business owners increasingly depend on remote workers and external contractors to help with the workload, but it is important to securely manage them. Knowing how many people are accessing which corporate information, and from where, is critical to ensure your organisation’s security defence.
4. Be careful of social media: Social media can be important marketing channel, but malicious code is increasingly injected into social networking sites, including harmless-looking links, advertisements and game apps. On Twitter, shortened URLs make it impossible to recognise if links are legitimate and retweeting these helps spread infections.
5. Employ stringent password policies: Workers with access to financial or personal data should have separate accounts for sensitive and more general business content. Ask your staff to change passwords regularly, using a mix of alpha and numeric characters that do not resemble words, so that exposure from password theft is time-limited.
6. Limit access to financial data: Minimise the number of people who have access to sensitive financial or personal content — the fewer people who have log-in credentials to this data, the harder for criminals to compromise the data.
7. Be wary of downloaded apps: Be alert when buying and installing applications from online app stores and make sure they come from a reputable source to avoid malware infections.
8. Develop a layered approach to security: This means the integration of multiple forms of technology for maximum protection, including web-, email-, data- and endpoint protection.
9. Protect your network: With employees logging on at various times and places, this is also a huge threat to the network. Protect network access with virtual private networks (VPNs) and firewalls.
10. Speak to an expert you can trust: All-in-one layered security systems are widely available, but if you prefer to deploy separate technology for different areas, consult a security specialist as vulnerabilities can occur if technology is not well integrated. If you don’t feel you have the necessary technical expertise to implement an effective security policy, consider asking a member of staff with an interest in IT to help you with the decision-making process.
There is no doubt your security needs will change as you grow, but taking comprehensive steps before your infrastructure becomes too large to be effectively managed will help you in the long-run. Many security solutions available today are highly scalable, and can adapt to the changes that new technology and evolving security risks can force on your business.
A majority of UK businesses are relying on nothing but luck to protect them from cybercrime threats.
Put measures in place now, so that your luck doesn’t run out.