Jon Fielding, Managing Director, EMEA Apricorn, discusses why small business owners should go back to basics when it comes to cybersecurity.
The digitalisation of business has completely transformed how we communicate and conduct our work and with this digital evolution, complexity is increasing for businesses, big and small.
Departments can often work in silos, using different systems and governed by different policies which can make businesses as a whole more vulnerable to cyber-attacks, where hackers infiltrate servers, computers and devices to steal valuable data and intellectual property (IP).
That said, the attacks themselves do not need to be sophisticated – most still use simple, low-tech methods that target well-known weaknesses in an organisation’s infrastructure. This could be anything from out-of-date software patches allowing a back door into the system, to employees not keeping their devices secure or failing to follow basic security steps leaving them susceptible to threats such as phishing.
To combat these simple attacks, companies do not need to be introducing high-tech solutions, but must stick to the fundamentals of good cybersecurity practice.
Understanding and improving the security posture
In Spring 2019, Leicester City Football Club reported a data breach to the Information Commissioner’s Office (ICO). The breach itself concerned financial details stolen by a cyber-criminal that had broken into the club’s online shop. Cardholder names, card numbers, expiry dates and CVV numbers were all compromised.
This breach shows how important it is for an organisation’s cybersecurity to be secure and up-to-date with the latest regulations. For example, payment details need to be encrypted under the Payment Card Industry Data Security Standard, as well as being recommended under the General Data Protection Regulation (GDPR).
Further, this case shows how important it is to constantly review and improve the storage of data. CVV numbers are required to make purchases online and are required to be added each and every time. The breach calls into question why these numbers were stored by the football club, which in turn allowed the cyber-criminal to make purchases using customer credit cards.
In a survey carried out by Apricorn, 44% of companies expected that their employees would lose data and expose their organisation to the risk of a data breach.
Workers also need to understand the importance of good security hygiene and how to spot potential threats. Without this knowledge, computers and devices can be left wide open to attack.
In May 2019, the Philadelphia online court system was shut down for a number of weeks when viruses were found on a “limited number” of computers. The shutdown itself was a safety measure, but it resulted in files not being uploaded to the system and everything going back to paper.
It wasn’t confirmed how the viruses made it onto the computers, but given it was an online system it might be safe to assume that it could have been from a phishing campaign or via software with back level patches. For example, it would have only taken one professional looking email to catch someone unaware, for the malware to then spread further.
Implementing end-to-end encryption
With emails carrying sensitive information and documents with company secrets, having end-to-end encryption has never been more important. Whether it’s using an encrypted email system or encrypted USBs, making sure that all endpoints are protected is essential for any business.
While there can be weaknesses with end-to-end encryption, such as man-in-the-middle attacks, having this layer of protection means that information won’t be at so much risk from human error when implemented correctly.
Unfortunately, Heathrow Airport fell into the trap of not having encrypted devices in October 2017, when a staff member lost a USB stick containing sensitive personal data which included sensitive security data of the Queen’s route to the airport. It was found by a member of the public and was neither encrypted nor password-protected. According to the ICO, the stick contained 76 folders and over 1,000 files and fined the airport £120,000 for data protection failings.
Of course, technology is always changing and with it the security required to protect it. Sticking to these fundamentals is half the work – the other half is reviewing and updating these measures on an ongoing basis. Policies and procedures need to reflect the current business environment as well as the regulations put in place by governments and governing bodies. Only by doing all of these things will businesses have a chance at protecting their infrastructure, data, assets and people.