The Australian Cyber Security Centre recently stated that ‘small businesses can be big targets for cyber-criminals’, citing a study showing 62% of small businesses had been a victim of a cyber security incident. While small and medium businesses may be less obvious targets than, say, ASIO or the big four banks, they are also a softer target. After all, there is a far lower chance of getting caught if they steal a low amount from many small businesses.
What Are the Threats?
Cyber-criminals may be part of organised crime groups, they could be hired by competitors, they could be opportunists seeking out whatever advantage they can find. They will have no hesitation in exploiting any weakness, and the attacks are increasingly cunning. The average time to detection of an intrusion runs into months, and in this time, the hacker may elect to disable or destroy their target’s backups before anything else, giving no easy way to recover without paying a ransom. They may steal secrets, leaving no sign they were ever there.
We have had many smaller organisations reach out to us when they are compromised. If they have good, undisturbed backups, we can usually get them going quickly, but without good systems they are left with little choice but to pay up. There are some relatively inexpensive ways to keep backups protected and separate, and it is a practice that can pay off when a hacker, or any other disaster, strikes. Having been in the industry for decades, and witnessed the absolute heartbreak experienced by businesses unable to recover effectively from cyber-crime, we can’t stress enough that a good backup and disaster recovery plan should always be high on your priority list.
How Hackers Get In
There is no shortage of methods employed by intruders, but here are a few of the most common:
Phishing – cyber-criminals commonly gain access to systems through emails with seemingly safe links. These phishing attacks account for 39% of all data breaches in Australia. Most phishing emails look legitimate – they may pose as your bank, Australia Post, a government department, or Netflix. The link takes the user to a website that asks them to install something. Once installed, the malware takes control of their computer.
Malware – an unsafe program gets installed on the user’s computer, often through a phishing attack, or from visiting a website.
Password attacks – sometimes, a hacker keeps attempting to login to your account, using the power of a computer or the internet to work through a database of known passwords. They keep on trying until they get in. Weak passwords are still worryingly common. 75% of users rely on three or four passwords across all of their accounts, and many of these are weak or default passwords, making the hackers’ work easy.
Ransomware – Made mainstream-famous by the WannaCry attacks that brought down some of the world’s biggest businesses, this type of malware is designed to encrypt all of your files, so you can’t use them. It is a sophisticated and damaging assault on your business in which criminals can encrypt a whole server in moments, jump to other servers, and take out a whole company in mere minutes. The criminals then demand money in return for un-encrypting your data.
How Can Small Businesses Protect Themselves From Cyber-Security Risks?
Cyber-attacks hit small and mid-sized businesses especially hard. 60% of small businesses fold within six months of a data breach or cyber-attack, so leaving it to chance is a huge gamble. As well as the direct financial hit of paying ransom, they cause a loss of confidence from customers and suppliers, and threaten government and corporate contracts. Prevention is clearly the best option.
Spam protection is a good first step, as it greatly reduces the unsafe emails that make it into inboxes. Microsoft Defender for Office 365 (formerly known as Microsoft Advance Threat Protection or ATP) is a part of the Microsoft 365 Business Premium suite, so you likely already have it. This is hands down one of the best protections available against phishing attacks.
Your organisation and people probably use many devices, from mobile phones and laptops to printers, security cameras, even drones. Endpoint protection options are not all the same, and we recommend Sophos Endpoint Protection, which has ransomware protection built in. It will stop ransomware even if your user inadvertently clicks on a bad link.
Password management shuts down a lot of easy options for hackers. Your password policy should insist that all passwords are complex. This doesn’t mean they must be hard to remember, but they should be long, and not found in a dictionary. Passwords must be unique for every account, so for example, users shouldn’t use the same password for their Facebook and their email. It is good to see that more organisations are now using password managers. Complementing this, every login should employ Multi Factor Authentication. Since most businesses use Microsoft 365 anyway, it is easy and cost-effective to use the included Microsoft Authenticator tool, but there is an option on the market to suit any business.
Modern technology includes modern security features, but if you’re using outdated servers, for example, the operating system may have been designed for a time when organisations hid their technology environment behind a firewall. In today’s world of remote working, this has all changed. Users want to access data anywhere, from any device and this is difficult to secure on an old server environment while offering ease of access. Moving data to the cloud can be a good option that incorporates protection and practices to share data securely online. Tools like Microsoft 365, SharePoint, OneDrive, and Teams are designed to work together so that groups can access data and collaborate securely.
Many organisations are unaware that Device Management with Intune is included in Microsoft 365 Business Premium, so they are paying for a great set of tools already. This includes device control and encryption, but it is not configured out of the box, so it takes a little expertise to enable and adjust the features to suit each organisation. Once set up, it can automatically encrypt all company devices, remotely wipe data if the device is stolen, and even set policies to enforce having a minimum six number PIN. You can control the number of password fails before the device is locked.
Last but not least, User training is vitally important. You can put in place all the protection in the world, but it is still best to make your people cyber-aware. It doesn’t hurt to test the team, where a fake email is sent so you can see who clicks on the links, then target training better. Our account managers often help customers to deliver cyber-security training for users – we are always happy when our customers can stay safer.
Data Protection features are also worth exploring in Microsoft 365, as they can protect information at the document level. Whether they include personal information or intellectual property, you can set rules about how individual or groups of documents can be accessed, shared, and printed, using very granular controls. This is another area where a little expert help can go a long way to keeping your data safe.
In closing, we’ll offer no apology for saying again: backup, backup, backup! Whatever happens, when all else fails, if you have a safe backup out of reach of hackers, you can get your business back into operation. If you pay attention to this last line of defence, you have a greater chance of surviving the onslaught of post-COVID security challenges.
Need to know more, or want advice about bolstering your cyber-security risks? Chat with one of our friendly security team, and follow us on LinkedIn.
Check out our recent article: The 8 Big Internet Risks – and How to Address Them.