To Businesses Who Want to be Cyber Safe… but Don’t Know How to Get Started
Small and medium-sized businesses (SMB’s) are not exempt from cyber attacks. In fact, close to 60% of all breached organisations can be categorised in this segment. The recent Mandatory Data Breach Notification law now also means that there are hefty consequences for ignoring the protection of customer information.
This legislation requires that all eligible data breaches are reported to the affected individuals and the Australian Privacy Commissioner. Any failure to report an eligible breach can result in heavy fines levied against sole proprietorships ($420,000), partnerships and/or companies ($2.1 million). Therefore it is essential that SMB’s keep abreast with the latest developments and relevant statistics in the cybersecurity sector.
The issue for most businesses is though, that they don’t know where to start. The segment known as ‘cybersecurity’ is rather large and covers many areas. For SMB’s in particular, they often don’t have a designated person to look after this for them, unlike larger organisations, and they are left to wade through the many options available themselves, or turn to their dedicated IT person.
So where does a business start? To best answer that question, it is important to know the motives behind these attacks in order to be able to deter them. According to data published in the 2018 Data Breach Investigations Report (DBIR), approximately 76% of breaches are financially motivated, no real surprise there I hear you say.
The 2018 DBIR indicates that phishing is the most popular initial access method used by criminals, with roughly 92% of malware being delivered via email. Phishing is a form of social engineering where cybercriminals use emails to pose as legitimate persons or institutions to deceive others into revealing personal, confidential and financial information.
These emails in the past used to be a lot easier to pick up, often littered with spelling mistakes, poorly replicated logos, non-matching domains from the email sender and the like. This is now not as often the case and the criminals have upped their game. The emails are now a lot more sophisticated, are not as easy to spot and in many cases, now closely resemble the emails sent by legitimate organisations.
Now here’s the key takeaway from all of this. The Ponemon Institute’s 2017 report indicates that 54% of data breaches were due to negligent employees. Therefore the recommendation is that SMB’s should invest in training their personnel to detect and avoid phishing emails, and also run frequent controlled phishing campaigns to ensure compliance.
Ransomware is the top category of malicious software that is used in approximately 40% of malware-based attacks. This form of malware is popular because it is easily deployed through phishing emails, web-based instant messaging apps, drive-by downloads and malware-laden advertisements. Ransomware is also an effective means to illegally obtain large sums of money with a low risk of prosecution and imprisonment.
According to the Ponemon Institute’s 2017 report, close to 60% of small businesses have reported that cyber attacks are becoming more complex and destructive. Cybercriminals have become savvier by using techniques that circumvent standard security measures. In 2017 a staggering 77% of these attacks utilised fileless techniques. These techniques make use of system vulnerabilities (such as browser add-ons) to launch virtual attacks. These fileless attacks are ten times more likely to succeed, as anti-malware software only detects file-based malware.
Your IT person/department can look after the software and hardware eg. firewalls, antivirus, routers, etc, etc… but as you can see here, the ‘human firewall’ is most often, your last line of defence. So make that part as bulletproof as possible. And finally, the answer to the earlier question is… to train everybody within the organisation. Awareness training, phishing simulations and generally keeping this critical issue front of mind are key.