Computer security is a big concern for any business owner largely due to the amount of sensitive data that tends to be stored within the typical business computer network.
According to a recent survey carried out by Right Scale around 93% of businesses are now using the cloud for some part of their data storage. This fact highlights why security is so important to keep under control.
Even for companies that don’t operate any services in the cloud IT security should still be considered extremely important. The truth is that whether your business is using the cloud or not, your computer systems are just as much at risk from cyber threats because the mere fact that a computer is connected to the Internet means it is technically part of “The Cloud” and thus a potential target for would-be attackers.
This is one of the biggest misconceptions when it comes to IT security. Just because a business is small does not mean that it would not interest a hacker and it certainly doesn’t mean it will stay under the radar of a hacker. In fact, hackers are far more likely to target a small business for several reasons:
1.Small businesses tend to operate without any full-time IT staff which means their systems are almost always less secure than larger enterprises.
2.Small businesses tend to have far more relaxed security policies – for example, employees are often allowed unrestricted access to the internet, external USB drives are not screened before use and staff are often allowed unregulated remote access to the system.
3.In a small business, it is much easier to find out about and get in touch with, influential employees within the company who can then become the target of a hackers social engineering tactics.
Considering these points, it should come as no surprise that in a recent government survey 74% of small and medium-sized businesses confirmed they had suffered from some form of security breach.
Before you can begin to prevent security breaches within a small business, it is important to understand the mindset of these hackers.
1.By far the most common method of hacking into a small business is by email. Hackers often mimic commonly used suppliers such as courier companies to trick the recipient into opening the enclosed attachment which contains the payload or virus.
2.The second most common type of attack is delivered via compromised websites. Hackers will install malicious code on a website so that every visitor becomes infected by the virus.
3.The third most common attack, the one that often takes small business owners by complete surprise, is something that has become known in IT security circles as whaling. Whaling takes its origins from social engineering and is the practice of gathering detailed information about employees of a company and then using that information to directly target other employees, tricking them into giving away sensitive information.
For example, a hacker might find out the details of the finance director and the CEO of a small business. Using that information, the hacker will compose an email purporting to be from the CEO to the finance director. The hackers will employ various tactics to make the email appear to be legitimate and ultimately try to trick the target into releasing funds or other sensitive information.
The key point to understand in these attacks is that they are personal – hackers will go after small businesses intentionally, knowing their security systems are weaker. In addition, hackers will use advanced tactics such as psychological manipulation in order to achieve their goal.
Thankfully there are plenty of cost-effective ways for a small business to harden their defenses against these types of attacks.
The first and most important method of defense is education – before you can defend against these threats you need to appreciate the lengths that attackers will take to extort companies of all sizes and especially small businesses. Once you understand the threat it is just as crucial to train all your staff members about the types of threats that are out there as well as how to avoid becoming a victim of those threats. This could include training on how to spot fraudulent emails as well as training on how to manually scan email attachments before opening them.
Antivirus protection is extremely important in the prevention of these types of attacks. Not only is it necessary to ensure that every machine within your organisation has antivirus installed on it, but it is just as important to ensure that all those devices are kept up to date as well as being centrally monitored – otherwise the end user could easily ignore the antivirus warning thinking that it is a false positive only for that threat to go unnoticed and unchecked. Also, consider a virus scanner at the network level that will stop viruses before they even get to the computer.
Another crucial part of network security that often gets overlooked is system maintenance – this involves the installation of windows updates as well as the updating of other third party software installed on network computers. Having out of date software on any system can give hackers a weak point from which they can enter and then compromise the entire computer network.
There are many zero-day threats out there that will not always be detected by the antivirus providers – simply because they are brand new and have not yet been seen by the AV companies let alone protected against. Advanced web protection technologies can help to protect small business networks from these types of threats. Consider blocking entire countries that are known for active hacking if you do not do business with those countries.
No matter how good your antivirus protection is, there will always be a chance that something could slip through the net and that is why restricted access is so important – the more tightly controlled you keep system access, the lower the chance of any threats being able to compromise the system. This includes simple things like preventing access to websites that are not related to the core tasks and functions of the business (Such as shopping sites for example) and more complex restrictions such as preventing the use of external USB drives and restricting network share access to only the files that each employee specifically needs access to.
These measures not only to prevent hackers and viruses from getting in but even in the rare cases when they do get in, prevents them from doing as much damage to the system.
The last form of defense, but by no means less important than any other is having a solid backup procedure in place. Even the most secure networks can sometimes become compromised by hackers – you only have to remember some of the most well publicized, and successful, hacks on companies like PayPal and Sony to appreciate that point.
Having a tried and tested backup procedure in place means that even if your system does become compromised it is always possible to remove the threat and then restore any compromised files to the point before the virus took hold of the system.
As a small business, you are just as susceptible, if not more so, to all types of digital threats. These threats are very real and they are very sophisticated. Hackers are not 15-year-old kids sitting in their bedroom with too much time on their hands, they are more often members of international crime agencies.
If you train your employees to understand the mentality of hackers and implement security policies outlined in this article, then you can keep your business safe from these threats.
Marc Moyer – Chief Security Evangelist – Cyberguard