We often hear about big data breaches on a global scale, but when thinking about small and medium-sized businesses, what cybercrime threats are they facing?
The most common threats are targeted attacks. These include spear-phishing emails, exploit of unpatched systems or software and crypto-ransomware attacks. However, part of the challenge with small and medium-sized businesses is awareness.
Specifically, business owners need to be aware of spear-phishing, or an email spoofing fraud attempt that will target a specific organisation. It is one of the most lethal ways that a hacker can compromise a small business, or any business for that matter. A Symantec report, the ‘Internet Security Threat Report’, found that mid-sized businesses in Australia were the most targeted especially in the agriculture, mining, financial services and public administration industries.
In addition to spear-phishing, another common incursion method is to exploit unpatched systems and software. Unpatched systems provide a popular means for hackers to penetrate businesses’ networks and then potentially expose sensitive customer information. Concerningly for small business, size doesn’t preclude them from being a target for attack. Symantec research has shown that hackers will often use small businesses as a stepping stone into much larger enterprises as smaller businesses have fewer employees and are generally less secure and aware of the threats. The outcomes of an attack, particularly the exposure of vendor and customer information can have serious impacts on a businesses’ reputation.
There’s also crypto-ransomware. And alarmingly, in 2014, Australia was the number one targeted country for ransomware attacks in Asia Pacific with over 90,000 ransomware attacks. These attacks are a type of digital extortion that encrypt data and demands a ransom in return. Not only does this put huge strain on small businesses operations, but it increases the risk of data and file loss. The ransom instructions usually include the purchase of non-traceable currency like Bitcoin or MoneyPak and, in many cases, payment of the ransom does not result in the return of data.
- How business owners can determine their vulnerability to cybercrime threats.
Firstly, business owners need to recognise that it isn’t just the large organisations that are targeted. In most cases, large organisations have dedicated resources for cybersecurity, making them much harder and more complicated targets. But in determining vulnerability, small business should assess the security measures they already have in place. For example, by conducting an audit, business owners can determine what information they host, what points of weakness exist and where they need to invest more security support. Items that are on this security checklist should include employee device use behavior, information storage locations and online payment practices. Once aware of current security practices, business owners should then develop a plan with a security consultant or vendor to fortify their security and better protect their business, their staff and their customers.
- What businesses should look for when protecting themselves.
Businesses should take note of the below:
- Multilayered security: Today’s advanced threats call for multi-layered protection that goes beyond just basic anti-virus.
- Keep it updated: Small business owners should take the time to update operating systems on an ongoing basis. This will protect against recently discovered vulnerabilities, as well as unexpected attacks. Businesses should also keep an eye on who has access to sensitive data and update authorisations to reflect staffing changes.
- Embrace mobility: Mobile devices are becoming a cornerstone of the enterprise, and securing mobile devices such as tablets and smartphones to secure corporate data should be a priority. Consider limiting unnecessary mobile access to customer information and keep an eye on who has permission to access data.
- Train your staff: Many owners underestimate the damage a single, untrained employee can do to a business. So, business owners should clearly define expectations for how employees will handle customer data, from requiring password use to maintaining up-to-date security software on all devices. Additionally, train employees to recognise phishing schemes and understand the dangers of downloading software and apps from unknown sources.
- Talk to third-party vendors: Business owners should ask about how vendors are protecting their information and look for ways to limit unnecessary vendor access to sensitive information. Norton Small Business is specifically designed to make it easy for business owners to provide quality protection to a contractor or vendor while they work on a project and then revoke that protection when the job is done.
- The biggest mistakes small and medium-sized businesses make in this area, and how they acn avoid them.
It’s generally around awareness. They may not think about the implications of hosting sensitive customer data when they purchase a product or service online, or when they create profiles online to use a website. Similarly, they often have to cut certain items from their business plan due to restrictive budgets, and sometimes the owner may let cybersecurity fall by the wayside. Protecting your business from data breaches is not free, but falling victim to an attack is far more expensive than proactive protection.
Also, while the right security can offer a high degree of protection, one mistake many businesses make is choosing a security software package or hardware device without first performing a gap analysis to identify the threats they need to mitigate. A thorough analysis can help businesses get the protection they need along with the best return on their cybersecurity investment.
About the Author:
Written by Mark Shaw, Security Expert, Norton by Symantec
For more information on Symantec please visit: www.symantec.com.au