With big ticket firms / household names endlessly getting hacked, it's easy to see why small to mid-sized businesses might feel like they're not in the sights of the bad guys. They're sadly mistaken.
Why?
Well, it’s because the lower the profile a company has, the less likely it typically feels like being a ‘worthy’ target of an attacker. The reality is very different.
While we all read about X, Y and Z large firm being in the news for data loss, ransomware and so on, what we need to remember is that often, they have larger budgets and also expansive security programs in place. Many do, not all. They’re often seen as trophy targets for attack groups, rather than something financially lucrative to ‘classic’ criminals. Or, they have information or secrets that an adversary more determined than a common thief would like to lay their hands on.
As a smaller business, the attacker assumes you have limited or no capability to defend yourself from threats, and so you become what some might consider ‘low hanging fruit’. You have cash in the bank though, and that’s what these people want. It's a mixed picture, but attackers have different motivations and intent. One of the things that unites them is a common approach.
It’s often reported that upwards of 90% of business compromise (read data loss, identity theft, ransomware) is as a direct result of email phishing.
Petty thieves are opportunistic, and that’s no different in cyber. They’ll try every door handle until they hear that successful click as the door opens.
With a locked door, more determined thieves will try a little or a lot harder, because they’re after something more than your cash lying about or that TV. They want your real valuables.
OK, enough of the metaphors. On to the points…
In the cyber community, a successful incident is now considered a when and not an if. On that basis, it pays to think about that and work out what your risk profile looks like, and what your appetite for that risk is. This isn’t a sales theory, it’s a reality. If anyone operates email (and let’s face it, pretty much everyone does), then they’re opening up what we call an ‘attack surface’ that can be compromised by the aforementioned bag guys.
And in all honesty, the bad guys don’t care. If you have a website, you’re likely operating business email. If you are doing either or both, you’re a potential target.
With email being the biggest risk factor, you’ll want to know what you can do about that. It isn’t the only risk factor, but it’s a big one that can be fixed with relative ease. Let’s take a quick look at why email is problematic…
Phishing. I mentioned it above, but here’s a summary. An attacker sends you an email that looks OK at first glance. The first glance is the most meaningful, for all the right and possibly wrong reasons.
Let’s say that the email is from the bad guys and contains a malicious file attachment, or a link to a similarly malicious website. You click away and as a direct consequence your computer and those of everyone else on your network suddenly don’t work. Your confidential and sometimes sensitive business data suddenly becomes scrambled (encrypted) and can’t be retrieved, and the bad guys begin to demand money from you to make it all OK again. This is the essence of what we call ransomware. It’s a devastating event and there are firms out there with large scale security budgets that felt this pain many years ago that still haven’t quite recovered, either financially or in terms of brand reputation.
It sounds terrible. Well, it could be. What can we do to limit the risk?
The basics. Often these are overlooked, in favour of large order security solutions that appear to fix all of your problems, but aren’t really all that, yet come at a high cost of ownership.
Email security. We’ve talked a lot about that in this blog, but there are some really simple things you can do to make a huge difference to your posture. Here are some examples.
Use strong passwords, that aren’t used for anything else
Insist through policy that staff do not use their work email for non-work services
Apply multi-factor authentication to user accounts (super important, because if an attacker does get a hold of your username and password, that information is pretty useless to them)
Network security. Where possible and affordable, use a firewall to control the data that comes into and out of your firm. It’s hugely valuable, as it provides both protection and also a lot of monitoring and alerting to weird things happening that shouldn’t be.
Device protection. Keep all of your computer ‘things’ up to date, with such things as patches / updates, but importantly anti-virus tools, as they can be the difference between an idle ‘click’ in an email and a really bad day.
Threat intelligence. Sure, you can buy that, but there’s also a whole lot of free information out there about your company. Signup to https://HaveIBeenPwned.com and learn what the attackers know about you before they start using it.
Awareness. It might seem odd, but it’s all about people. All the tech in the world was developed and is maintained by good old fashioned humans. Equip us properly with the right knowledge and understanding of everything covered in this blog, and you have as good a chance of staying safe as any technical control you can buy.
The basics. Do them well and you’re not in a bad place.
