With high-profile hacks of huge organisations such as Sony, MySpace, and Yahoo making headline news it’s tempting to think that only massive companies are susceptible to attacks – after all, they’ve got more data and more money, right? A recent study by Kaspersky Lab showed that 82% of small businesses say they aren’t likely to be targeted by a cyber-attack because they think that they aren’t worth hacking.
In fact, the opposite is true. 2015 Government research by PwC found that in actuality 74% of small-medium businesses in the UK experienced a data breach of some kind. These breaches cost SMEs upwards of a combined £800m in data recovery, reparative measures and reputational damage – and that’s without accounting for the possible fines incurred from recklessness with data. The Data Protection Act requires businesses to take appropriate measures to prevent unlawful loss of data, and an inability to do so properly can result in a fine of up to £500,000.
Types of attack
Small businesses are actually more susceptible to attack because of the hacker’s (accurate) assumption that SMEs invest less in cyber security than larger firms.
Malware attached to legitimate looking emails can cause complete disruption and infection of a company’s network, and all it takes to download is for one employee to open a link or download a file.
Hackers can gain access to user accounts/passwords through careful manipulation of obtainable data. By tricking an employee into giving out their password, the hacker can get access to the user account, and then they have access to the system and networks.
A hacker can modify a search query, or implement code in the URL, comments section, or form, that sends a request from the website to the database server, and returns the records of the database to the hacker. This allows the hacker access to unauthorised and private data.
DDoS (Distributed denial of service)
Sending simultaneous hordes of URL requests to the server causes server-side bottlenecking, which denies user access, and allows the hacker to compromise the server.
24% of SMEs admitted they thought cyber security was too expensive, but in fact, basic security is either free or relatively low-cost – especially when compared to the £500,000 fine for mismanagement of data.
For many reasons, but specifically when thinking about increasing security, it’s good practice to keep all of the software you use up to date. Latest software updates fix vulnerabilities found in previous versions, and reduce the risk of exploitation.
Strong password security measures are imperative for keeping employee accounts secure. Following best practice guidelines (such as ours, linked here) can ensure that the accounts are harder to access through social engineering.
Delete suspicious emails
If an email looks suspicious, it probably is. Remaining vigilant is important, and if in doubt, it’s best to delete the email before opening anything.
The above tips can be implemented easily by educating staff on the best practices.
Managing user accounts is a good way to improve network security. For instance, employee accounts do not need administrative access, and so should be restricted as such, so that if a hacker gets access to an employee account they’re limited in what they can do with it. Admin accounts should have different, more secure levels of access.
After downloading software to a network, the install should be hardened. This involves removing unnecessary add-ons and extensions, changing default logins and passwords, and deactivating superfluous features.
Firewalls can be configured to restrict network access by blocking unnecessarily open ports. Network administrators can choose to accept or reject traffic depending on which port it comes through. Visit our support site to learn more about firewall policies.
In a study by the Cloud Industry Forum it was found that 98% of SMEs had never experienced a breach in security when using a cloud service. With virtual private networks, firewalls, backups and clones included across all configurations, it is worth considering migrating to the cloud when thinking about data security. For more information on cloud servers, visit the Fasthosts website.