Common Cyber Security Attacks and How SMEs Can Fight Them
In insight / By Lydia Cooper / 24 September 2018
Small businesses are just as under threat from cyber security attacks as big businesses. There are some small business owners that believe they are just too tiny to be targeted. However, according to a report published by the Federation of Small Businesses, two-thirds of their members said they had been a victim of cyber crime between 2014 and 2017. With an average loss of £3,000 between the businesses as a result of cyber attacks, their potential growth has been seriously hampered.
Because of this threat, businesses need to take the appropriate steps to prevent attacks on a company’s cyber security. The General Data Protection Regulations came into force on 25th May 2018, which means businesses with lax cyber security are at risk of being fined up to £17 million if they are not able to provide evidence that they are putting cyber security safeguards in place.
So what can you as an SME do to protect yourself and your customer’s data from a cyber attack? Nasstar has taken a look at current common cyber threats and some advice on how to combat their dangers.
1. Internal Attacks
The thought of an employee going rogue and causing an internal cyber attack is something you would never think of happening to your small business. Because of this, you really do need to consider the possibility of this cyber threat occurring. You will have employees who have access to networks, sensitive data and admin accounts and it only takes one disgruntled employee to cause a lot of damage to your small business.
This is where a small business needs to identify every employee account that has such access privileges. Then you need to remove all accounts with those privileges that are no longer in use and/or were owned by employees who have left the company. Using a corporate file sharing product as an alternative to DropBox can help administrators control exactly how files containing sensitive information can be shared and accessed by employees.
2. Phishing and Spear Phishing
For a cyber criminal, phishing has always been an effective method in introducing malware into a business. Users will unwittingly click a link or attachment within an email, that contains the malicious virus that will steal important information.
One particular style of phishing that hackers like to use is Spear Phishing. Hackers will scour social media profiles to find those employees they would expect to have privileged accounts within a business. To make the employee trust them, they will pretend to be a recipient the user knows and trusts - such as a member of senior management or a valued client. If an employee has been tricked into clicking the link, the ransomware will take over and encrypt valuable data on the infected software, revoking the small business’s access and demanding payment for the data to be restored. In 2017 the NHS was subject to one of the biggest ransomware attacks in history - the malware WannaCry (an exploit of a vulnerability in Microsoft) infiltrated hundreds of NHS computers via email and infected 300,000 countries worldwide.
To combat this sophisticated cyber attack, SME’s need to educate their staff on how to spot a phishing email. Businesses must also ensure they have securely backed up all of their critical data unless they really want to pay the ransom fee.
Having a secure email encryption platform can also prevent a cyber security attack in this manner, as well as preventing any data breach through routine communications.
3. Poor Knowledge of Cyber Attacks and Security
Arguably the biggest cyber security threat to any small business is the lack of knowledge of cyber attacks. If your business does not put in the time to raise the awareness then any cyber security policy in place is at risk of failing to be effective.
Your IT staff need to be trained to deal with incident handling. This will allow the team to be able to manage any security incidents that could occur. They can also bring the system back online quicker if a hack does take place.
You will have employees who will not know how to protect themselves online. You will also have employees that won’t care enough to do so. It is vital that small businesses hold compulsory training sessions to help employees learn of the cyber attacks that could happen. After all, having the basic level of knowledge and awareness of cyber threats could be the difference between being hacked or not.
4. DDoS Attacks
Distributed Denial of Service attacks have hit the world’s biggest websites over the years. Reddit, Twitter, and Netflix have all suffered outages because of it. Gamers will remember the 2011 PlayStation Network attack which stopped the service completely for a whole 23 days - this was staggering considering most DDoS attacks generally last between 6-24 hours. This ambush is caused by massive amounts of web traffic that force crucial services offline, hence why it is known as a “denial of service” attack.
A business cannot stop such a cyber attack from happening but with extra bandwidth on the system and a response plan put in place, it can reduce the impact of such an attack.
Malware is simply any software that has been installed on a system to perform unwanted tasks that only benefit a third party. Examples of such malware include ransomware, spyware, adware, bots, and trojans.
The best way to deal with these cyber attacks is for a small business to invest in excellent antivirus technology. This needs to be kept constantly updated and so should the operating systems, firewalls and firmware. Not keeping these patched or updated can leave you open to exploits, which is exactly what happened to the NHS with the WannaCry attack.
6. SQL Injection
There are many cyber attacks that can be put against the website of a small business, but an SQL Injection can be the most dangerous. The SQL Injection looks at vulnerabilities that allow hackers to steal or interfere with a database that sits behind a web application. Hackers do this by sending malicious SQL commands to the database server. This is done by inputting code into forms such as login or registration pages.
To combat this cyber attack, small businesses as a precaution should assume all user-submitted data is malicious. You should also remove any database functionality that isn’t needed and consider using a firewall that protects your web application.
7. Bring Your Own Device (BYOD)
Small businesses will make use of bringing your own device technology (BYOD) to further their functionality. With this sharing of company data, these unsecured mobile devices are an exploit waiting to be found. Malicious applications can bypass security and access your secure network from within the company itself.
A BYOD policy needs to be made clear from the beginning. This educates employees on what cyber security your business expects to see on these devices. This can be enforced effectively by using Mobile Device Management which offers complete administrative control over corporate data/applications installed on devices. The software also allows data to be completely wiped from a device, should it become lost or stolen.