Although cybercrime is here to stay and growing ever more sophisticated, there is plenty SMEs can do to protect themselves, says Tim Downs, Director of Bitwise-IT
Cybercrime has been with us since the dawn of the internet. If a system can be exploited, someone will eventually figure a way to do it. Today, cybercrime is a trillion-dollar industry, with its latest boom kicking off with the first Covid lockdowns. While most workers were left wondering how to spend their time when furloughed, hackers knew exactly what they would be doing. They discovered that any business with a cashflow was a viable target, and SMEs were particularly vulnerable due to most not having the IT expertise or were using outdated IT systems and protections.
With the latest government survey reporting that 39% of UK businesses suffered a cyber attack within the last 12 months, the sheer scale of the threat becomes evident. In short, there is one in three chance any UK business will be attacked within the next 12 months.
What can be done about it?
SMEs need to understand their IT landscape to ensure their data and systems are protected. This involves looking at the business from a logical perspective and asking general questions such as where does my data and systems reside? And how can they be accessed? This will start to give an indication of the scope of what needs to be secured.
Operationally, communication with outside entities is required for the business to successfully run. This is most commonly in the form of email and the receiving and sending of files and data. Hackers understand this and will often target the easiest option, which is to trick staff into clicking a link in a seemingly genuine email leading to a malicious site. Otherwise known as phishing. Phishing attack types will vary from attempting to compromise the staff PC or Mac by the using the website they arrive on to exploit an unpatched machine, to more simply asking the user to fill in user account details, and even an MFA code on the web page. If successfully executed by the attacker these can mean financial loss to the business via (usually) a ransomware or BEC (Business Email Compromise) attack.
Clearly then, regular cybersecurity training should be delivered to all staff members along with employing best in- class email filtering solutions to start reducing the risk of a successful phish.
Of course, there are many other types of attack and one alluded to above was a weakness in unpatched machines. Very recently a new zero-day vulnerability was found in Microsoft’s Exchange (email) servers. This allowed hackers a way into the network of companies running their own Microsoft email server. The fix here of course was to patch the server immediately to remove the risk.
Exploiting vulnerabilities in unpatched machines is not new and has led to many (usually ransomware) attacks, causing millions in financial loss for the businesses involved. Employing an ongoing assessment and patching program is therefore key to reducing the chance of this kind of attack. In fact, critical security updates should be tested and applied same day wherever possible.
Password weakness is another thing to watch out for. Too many people use the same password across all accounts, including their social media and personal accounts. Often these are reasonably simple and contain information like the name of a pet, or date of birth of them or a loved one. All of which if public on social sites can lead to a breach in business systems – especially if MFA is not enabled on the compromised account.
SMEs should enforce a password policy to make passwords reasonably complex and provide and train staff on the use of a password management tool, to handle remembering these passwords. MFA should be enforced on all accounts which support it.
My systems are secure. Could my SME still be the victim of a cyber attack?
Unfortunately, yes. No fortress is impenetrable and the same goes for IT systems. Best practices and security can be in place, yet systems can still fall victim to an attack. With cyber criminals now operating in gangs, attacks are becoming increasingly more advanced and effective.
For SMEs, setting up a full-time SOC (Security Operations Centre) is not a cost effective or viable option, so many outsource to IT providers who can deliver this service. Some IT providers specialise in cybersecurity, and these professionals provide human expertise and protection above what any software and automations alone can deliver, giving SMEs a fighting chance of fending off a cyber attack.
Everyone knows that backups are the bread and butter of getting out of trouble, but where they are stored, how much history they hold and how they can be accessed are all things to be considered. Disk backups stored on the same site as the servers they are backing up are particularly vulnerable. These are usually targeted during cyber attacks to prevent easy recovery and increase the chance of a ransom pay-out.
It’s not all about the tech
Business owners should ensure a CIRP (Cyber Incident Response Plan) is in place and regularly test and refine it. These help to prepare and train people across the business on how to calmly identify and handle a cyber incident, including determining if it has been caused by an external cyber attack. Plans should include key business contacts including high level decision makers, as well as external ones such as the NCSC and Action Fraud (police). The CIRP should also contain step-by-step playbooks of how to deal with certain incident types.
SMEs need to consider the impact on their business if their IT systems stopped working, so along with the CIRP, DR (Disaster Recovery) plans should be implemented and regularly tested to ensure the company can be brought back into operation if key systems are taken offline.
The final word
It is quite clear that cybercrime is here to stay, and SMEs are under threat. Thankfully there are measures to take to ensure SMEs are less likely to be a victim. SMEs are urged to consider using a reputable external IT provider specialising in cybersecurity if they don’t have the inhouse skills and resource to handle cybersecurity in all its guises. For the latest advice and recommendations visit the government’s National Cyber Security Centre at www.ncsc.gov.uk.
ABOUT THE AUTHOR
Tim Downs is Director of Bitwise-IT – providers of secure managed services to SMEs around Essex and London.