For small businesses, a data breach can be devastating. Global studies estimate that about half of companies are out of business within six months of a cyber breach.
The costs aren’t just limited to the immediate theft or data loss but also include compromise to private intercompany communications and customers, vendor contract details, confidential business information and reputation, which all have an impact on future income.
In April 2015, the Australian Federal Police (AFP) revealed there were more than 3,500 breaches in the country for the month – a number which is expected to rise further. This has prompted efforts by the government to recruit young hackers – “white hats” – with the technical ability to help track and counter these cyber threats.
Unfortunately, one of the trends they are seeing is that smaller businesses are becoming targets. According to Gartner, ransomware has become a popular attack platform in Australia – eyeing SMBs (small to medium-sized businesses) even more than larger companies. After the US, Australia is now the second most commonly attacked nation, in terms of ransomware. The Australian Competition and Consumer Commission (ACCC) said it received over 2500 ransomware and malware complaints last year with over $970,000 reported lost by small businesses and consumers.
Furthermore, in today’s environment small businesses are increasingly reliant on the third-party services and an ever-increasing array of computing equipment in their operations. Both of which often fall under attack.
You will have heard about the attacks on Sony, Target, Kmart and other major breaches because big companies make big headlines, but the majority of breaches happen to small businesses. In fact, more than 80 per cent of breaches are estimated to occur to small businesses, which is troubling because small businesses are the most vulnerable and the least aware.
So, how do you secure an organisation with limited resources? The first priority is to not be an obvious target. Ninety per cent of attacks are associated with weaknesses in basic remediation, such as firewalls, default passwords, VPNs and double authentication. These simple steps ensure your business isn’t noticeably insecure. I can’t tell you how many times I’ve heard of companies’ security passwords being “password” or the company’s name. It just shows how a little extra effort can strengthen cyber defence considerably.
Secondly, if your business takes payment data and customer information, then doing a PCI audit is critical.
Businesses must always be PCI complaint, but you would be surprised at how many small Australian businesses are still not there. This not only jeopardises customer information, but it opens a company up to sizeable fines and significant damage costs after a breach.
If you have data at rest, ensure that it meets PCI so that if cyber criminals breach you, any data they find will be useless. A more secure option is to look into outsourcing services to process and protect the financial transactions, so that they don’t even touch your networks.
Additionally, here are some quick security fixes to ensure everyone in your business is doing as much as they can to prevent a security breach:
1. Don’t let your PC go unprotected
Move off of Windows XP if you still have computers running it, as support and updates for Windows XP ended in April last year.
2. Coordinate policies with processes
Make sure everyone in your company is clear about your data-protection policies and what they can and cannot store on their personal computers.
3. Keep sensitive data safe
Do not use a general purpose computer to store sensitive data. For example, don’t use that computer to check email or surf the web.
4. Regularly review what information you store
Check over what information is being stored on your server(s), verify that any confidential or monetary data is sufficiently protected.
5. Maintain PC protection
Confirm that you have automatic software updates and antivirus updates enabled and ensure firewalls are maintained.
6. Plan ahead
Put a disaster recovery plan in place, including who to call when something bad happens, offsite backup in order to recover from fire, flood, physical theft, and hackers, and records of what (if anything) your insurance policy covers from down time and other costs associated with hackers.
7. Be in good company
Develop a relationship with your local government authorities before you need to call on them in a crisis.
8. Do your data homework
Collect computing logs and occasionally review them because they will prove valuable during incident response, helping you to learn what your computers normally do, respond to cyberattacks more quickly and potentially spot hackers before a damaging breach.
9. Consider managed security services
Advances in cybersecurity technology, including the use of more sophisticated analytics, can be difficult to keep on top of. Managed security services can ensure that you are as well-protected as larger firms.
10. Support cyber protection and knowledge sharing
We all need to share actionable data on cyber breaches so that experts can gain a community view of the shared threats that exist and hopefully fold those threats into an actionable analytic approach that reflects the real risk of cyber threats.
You can do your bit by reporting a cyber security incident online at the Australian Cyber Security Centre (ACSC) website.
It is also worth being aware of some of the threats affecting Australia. Recently, the ACSC released its first-ever unclassified Threat Report, which identified the techniques that are being used by cyber adversaries to target network vulnerabilities either of the Australian government or businesses in general.
Take just a few minutes to find out a bit more about malware, spear phishing, malicious use of remote access tools, “watering hole”, denial of service, and ransomware.
Once you have the fundamentals in place, the next step is to investigate some of the new breakthrough alternatives that will best protect your business, and your pocket. Today’s innovations include analytics or machine learning, and devaluation of data.
If you are a small business, look into P2PE or tokenisation, which can be very cost effective. Securing a business today with a very small budget is challenging, but ignoring cybersecurity is no longer an option.
Scott Zoldi is the chief analytics officer at FICO, a cyber security solutions company.