How SMBs can avoid being the victim of a cyber attack

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computing.co.uk/ctg/opinion/2445104/how-smbs-can-avoid-being-the-victim-of-a-cyber-attack



We are all used to the headlines where large organisations, such as banks,
fall victim to cyber-attacks in which customers' personal information is
compromised and the cost to the organisation is substantial.

Less well publicised are attacks on smaller organisations. The lack of
noise is surprising when you consider that 74 per cent of small businesses
have suffered a cyber security breach, according to the
PricewaterhouseCoopers 2015 Information Security Breaches Survey (up 60 per
cent year-on-year), with four as the median number of breaches suffered by
SMBs and an average cost of between £75k and £311k. Of those affected, 38
per cent suffered from viruses or malicious software while a further 16 per
cent were hit by a denial of service attack.

While SMBs do not have vast resources to plough into cyber security,
ensuring that they remain vigilant to an attack and improve their
resilience should be a top priority. So where should you start?

An SMB's employees should be at the centre of any cyber resilience
strategy, not least because around 80-90 per cent of all incidents start
with either a phishing and or social engineering attack i.e. someone
opening a link or attachment contained in an email or unwittingly giving up
a piece of sensitive information. This vulnerability can be limited through
less expensive, more cost effective education and learning awareness
programmes aimed at employees, so long as they are not implemented as a
‘tick-box exercise' in terms of compliance. Make sure that awareness
programmes are fun, engaging and relevant to the audience.

Education should also not just be focused on employees in operational,
front line roles, but should begin at the top of the business in order to
set the tone that cyber resilience is something that is taken seriously and
supported so that initiatives can be successfully driven down. This
approach allows management at the top to identify what the key weaknesses
are in order to mitigate against staff actions that are likely to expose
them and develop the correct training materials.

It is also important for SMBs to remember that our adversaries will always
adapt and find new ways to breach security defences. It is therefore vital
to maintain vigilance against attacks which will mean educating staff on
new practices and ensuring refresher training is scheduled in regularly.
Building cyber security training into induction packs for new starters can
be a good starting point, but it must be backed up with regular, ongoing
awareness on good cyber behaviours.

SMBs that collect customer data are at particular risk of attack. If that
data is lost or stolen, you can be fined. In a worst case scenario, a
company can be fined £0.5m, which is more than sufficient to put many small
companies out of business or damage their reputation irrevocably - again,
potentially jeopardising the business altogether. In addition, if your
company is expanding - and will contain bigger and more lucrative companies
in the supply chain - it becomes imperative to invest in cyber resilience
as a "business as usual" activity. Smaller companies are often attacked
because they offer an easy way into their much bigger and more lucrative
suppliers and clients.

Finally, if you are considering cyber risk insurance, recognise that it's
very difficult to price and may not cover you for all eventualities.
Equally, having cyber insurance doesn't mean that you can forget the risks
and carry on as normal.

In summary, there remains a dangerous myth that small businesses are immune
to cyber-attacks. It does not always need large amounts of investment to
effectively protect against an attack - employee education and awareness
training will usually be more cost effective and useful than implementing
costly systems that can be brought down by the actions of an uninformed
employee. If your business is online - and regardless of whether your
company is big or small - you're a target for cyber attackers. Choosing
whether or not to spend money on cyber resilience is no longer a choice.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.