SMBs: We don't want to spoil all of this article, but have you patched, taken away admin rights, made backups yet?
If yes, wow, you're well ahead of the game
Backgrounder Recent headlines have been full of IT security breaches at major corporations, such as the theft of customer data from British Airways in September 2018. Yet, smaller companies should not believe that they fly beneath the radar of attackers.
The Small Business Cyber Risk Report [PDF] from insurance firm Hiscox found that 47 per cent of small businesses surveyed in the US, UK, and Europe, had suffered at least one cyber attack during the past 12 months.
The most common type of attack was ransomware that can easily arrive via email, such as in a recent attack on the Arran brewery in Scotland. Other common attacks include hackers breaking into systems, or loss or disclosure of sensitive information.
And while hackers may be responsible for some network breaches, 54 per cent of respondents to a 2017 Ponemon Institute survey indicated that employee negligence was the root cause.
Staff at small and medium biz (SMB) are falling victim to phishing, social engineering scams, and cross-site scripting attacks, while the servers supposedly policed by the IT department are succumbing to SQL injection.
And yet, the conventional wisdom among those running SMBs is they are safe. Fifty-one per cent don’t see themselves as targets, according to a Switchfast survey. Hiscox, meanwhile, reckons just 52 per cent have a clearly defined strategy around cyber security.
“The actions of small business employees and leaders reveal little is actually being done to address the lax attitude toward security. Negligent employees are the number one cause of data breaches at small businesses,” Switchfast wrote of those in the US.
So: a growing number of attacks compounded by complacency and common workplace practices. How do SMBs get beyond this?
Overcoming the obvious
Reading the headlines it would be simple to conclude business software is as leaky as a sieve, but hackers are exploiting a relatively small number of vulnerabilities. Fortinet earlier this year found malware writers targeting just 5.7 per cent of known vulnerabilities in software. Translated: it’s within the means of IT teams to apply published fixes to vulnerabilities.
The fact that SMBs are coming under attack, however, suggests their sysadmins are making the basic mistake of not applying available fixes.
Overcoming this problem should be a relatively easy task of remediation that simply means making sure systems are up to date with patches and protected by anti-malware tools. This can be an onerous task for a small business that may have few IT staff, but is an integral part of “good IT hygiene,” Trend Micro principal security strategist Bharat Mistry told The Reg.
“SMBs tend to forget about [patching] it, or they do it on a six-monthly or yearly basis. We’re seeing new security updates and security notices: look at the impact of them and start thinking about putting a regime in place whereby you are reducing the risk and patching the systems,” Mistry said.
Scottish brewery recovers from ransomware attackREAD MORE
Access control is another problem – granting carte-blanche access to all.
“We often see things like everyone in the company being given full admin privileges on their machines, or giving everyone access to all the data in the organisation,” Mistry tells us.
“SMBs may not have that kind of segregated control on a need-to-know basis. On things like the payroll system, you wouldn’t want every Tom, Dick and Harry to have access.”
Limiting user privileges can prevent malware from getting the kind of toehold in systems that would prevent them running, while putting in place access controls can help stop the malware that does manage to make it onto your network from getting access to other key resources. These measures can be onerous, especially for small businesses that do not have a Single Sign-On (SSO) capability, but could save the company from a lot of bother in future.
Whoever is fulfilling the role of the chief IT administrator in the company needs to ensure that admin privileges are restricted to themselves and other sysadmins, with role separation so that each has access only to the resources they are expected to oversee.
When it comes to phishing and social engineering scams, the answer is less technical as educational. This includes routine phishing tests and making staff aware of common ways that fraudsters target businesses through invoice scams, bogus messages claiming to be from the boss or a business partner asking for key documents, or for money to be transferred, and so on.
End point of the line
In today’s mobile environment, laptops, tablets, and smartphones are increasingly on the front line of your company’s network. They also represent a weak link in your defence.
Perhaps the biggest risk is connecting on such devices to free public Wi-Fi. This is a gift to hackers, who’ll try to steal your emails, credit-card information, and security credentials in order to masquerade as you at a later point. This could be done by exploiting vulnerabilities, or sniffing out plain-text traffic. Malware writers will also use public Wi-Fi as a means to deliver rogue code to your device and then to your work’s systems once back a base.
And yet: two thirds of staff and 44 per cent of SMB chiefs connect to public Wi-Fi for work, says Switchfast, while apparently fully knowing the risks. Carlson Wagonlit found public Wi-Fi is recognised by business travellers as one of the top two ways they could lose their employer’s data – loss or theft of laptop is the other.
Users may even unwittingly give the network, and thus anyone on the same Wi-Fi, permission to access data on the device, or even on the corporate network. In Ponemon’s report, 30 per cent of SMBs cited compromised or stolen devices were the cause of security-related incidents.
Larger companies typically try to get around this using mobile device management (MDM). This lets admin staff identify devices users are working with, enforce settings – such as data encryption, password or PIN protection – and remotely wipe data in the event of loss or theft.
But the MDM market is fragmented, with with a plethora of pricing plans. If, like most SMBs, you are short on IT staff and long on jobs, then evaluating and choosing an MDM platform will likely get kicked way down the long list of priorities.
SMBs do have some relatively simple options – for example, Microsoft’s Office 365 productivity suite. Office 365 uses the hosted email server as the point of control for ensuring that devices, such as smartphones, have had a password or PIN set by the user to secure access to them, that data encryption is enabled, and can also be used to wipe work emails and files.
Microsoft’s Office traditionally had a strong presence among businesses of all sizes, and while the as-a-service Office 365 is growing, it has come from a relatively long way behind among SMBs.
Alternatively, cloud-based MDM providers offer a free tier for users with only a limited number of devices.
Using a Virtual Private Network (VPN) can protect and encrypt your internet or corporate traffic over Wi-Fi and other untrusted networks. Again, while they are complex to some and potentially costly, VPN providers do serve SMBs. Better yet, set one up yourself using OpenVPN, Algo, or Outline, for example, if you know what you're doing.
Back me up, Scotty
Finally, SMBs need a fallback. What, if after all this, you still get hacked or held to ransom? Backups are not strictly cyber-security, but it does play a role in terms of protection and recovery.
Ponemon found 51 per cent of SMBs had experienced a ransomware attack within the previous three months. If an attack succeeded, 60 per cent had to pay the ransom, with an average payout of $2,157.
The salient fact, however, was this: of those who did not pay, 67 per cent said this has been because they were able to recover their data from a full backup.
And yet… “Some organisations don’t even have a backup strategy to help them,” Mistry said. Trend subscribes to the view you need three copies of your data: two separate media types, and one offsite copy. “That’s a very simple, basic rule and a lot of people are simply not doing this,” he said.
Conventional wisdom is a dangerous place for SMBs, a place defined by complacency. Hackers and malware writers have changed – shifting their targets – and SMBs must change, too. Overcoming prevailing logic doesn’t demand complex technology answers or radical workplace re-engineering – the answers are available and are relatively simple. They simply require application. ®
Sponsored: Becoming a Pragmatic Security Leader