The news of serious data breaches is becoming an almost daily occurrence, to the point that many companies view it as an inevitability. The scale of the issue is so great, it is estimated that more than 145 million records were leaked in June 2018 alone.
To protect yourself, you may have built your cybersecurity setup with criminals and hackers in mind. But while their threat continues to become increasingly advanced, you are much more likely to be the victim of an attack that comes from an internal source.
This could simply be down to a lack of staff education about the risks of opening an unchecked email attachment, or premeditated, like an ex-employee accessing the company network after leaving. But with 78% of SMBs failing Hiscox’s Cyber Readiness test, it more important than ever that behaviours which may weaken company security are identified.
Under the radar?
In many cases, small businesses may not treat security as high enough priority. This could be down to lack of resources, lack of knowledge or simply the idea that they are too small to be noticed by hackers.
For startups and very small companies, individuals may take on multiple roles within the company. In these cases cybersecurity is likely to be considered, but due to resources, not have a dedicated member of staff or be prioritised in the way it should be. Situations like this are excellent examples of how small companies with good intentions make themselves vulnerable.
Many feel their company is small enough to fly under the radar, and that they are unlikely to face an attack because they are too small for hackers to waste their time with. An important factor for these small businesses to consider is how the most prolific attack of recent years, WannaCry, worked.
It managed to achieve a wide impact because the instigators didn’t specifically target companies, instead aiming to cause as much disruption as possible. By playing a numbers game and hitting as many targets as they could, regardless of size, the attack was effective. Why? Because people open phishing emails in error, or fail to apply the latest patches and updates. The more people you target, the more certain the likelihood of success.
Adopting a casual attitude to cybersecurity is the equivalent of leaving your door on the latch – it may appear to be secure, but should anyone try their luck, they will have unfettered access to your possessions.
Lack of security awareness
Often breaches are not the result of a planned, targeted attack. Instead, they come out of research into what makes attacks effective. In an interview with Avast Business, Doctor Lee Hadlington, Associate Professor of Cyberpsychology at De Montfort University explained; “Success at social engineering is a skill which is honed over time. Those attackers learn what works and what doesn’t. Criminals will see what works and add their own take on approaches to improve it. So, hacks get better, more effective and more sophisticated over time.”
Phishing is a highly infamous method of tricking users into opening attachments containing dangerous code or software. Most people are familiar with the idea of a mysterious email from a foreign prince offering a small fortune, but attacks have become a lot more sophisticated in recent years.
Targeted ‘spear phishing’ attacks, for example, are becoming increasingly difficult to spot. By mimicking an email from a legitimate source, such as a colleague or a company with a reputable online presence, these attacks hope to trick the user into opening attachments or clicking links. Often, they request updated information from the user, but this type of scheme will only succeed if the target is fooled, and so it is critical that staff are fully trained to identify and flag potentially suspicious emails.
A poor personal habit that could seep into your office is using weak passwords. After years of warnings, and many sites setting minimum requirements for passwords, the most popular passwords are still ‘123456’ and ‘password’ and they are often reused on multiple accounts. This again demonstrates that while the risk of an attack is a real one, most people feel immune to the advice, feeling that it is only larger companies that become victims.
In these cases, an ‘it’ll never happen to me’ attitude is one of the greatest risks to data security. If staff are making it easy to compromise passwords, your data will be vulnerable regardless of the level of security software in place.
The rapid development of technology has made mobile working a realistic and increasingly popular option for office workers, with the global workforce expected to be 42% mobile by 2022. While this can have many benefits in terms of productivity and wellbeing, as the number of devices used outside the office rises, so does the risk of data breaches.
Personal responsibility also extends to the type of device being used. While Apple devices shouldn’t require external security, this does not protect your data’s safety if they are used on unsecured Wi-Fi networks – and security flaws have been found in a variety of iOS updates.
Similarly, the rise of smart devices and the Internet of Things (IOT) mean that there could potentially be numerous devices connected to your network that still have their default password – effectively an open door into your network. Without an awareness of these types of risk, personal users could be making easily avoidable mistakes.
To minimise these risks, it is vital that small business consider the responsibility for data security to be held with each individual in the company. By incorporating it into company culture through a code of conduct, BYOD agreements and regular training, staff can become comfortable with cybersecurity and risks can be significantly reduced.
Sometimes the threat from inside the company is not able to be solved with training. Past employees, contractors and temporary workers can all pose a significant safety risk if they still have access to the business network after they have left the company.
The PwC State of Cybercrime Survey revealed that 44% of all data breaches in the US are attributable to insiders. Protecting against this type of threat could be difficult, but with diligence and proactivity, it can be avoided.
To protect sensitive data, it should be stored in a secure location, ideally away from the main network. Access to it should only be given to those who require it. This should be enforced strictly and includes senior figures at the company. Third party users should only receive access to the data they require, and access should be limited to the duration of their task. Former employees should also see their access terminated as soon as it is no longer needed.
People are also the solution
Fighting against data breaches requires much more than software. Without proper care, anyone at your company could accidentally leave you exposed to cyberthreats. The most elaborate security system in the world will not be enough if staff are not trained to identify and manage risks.
By framing security as a team effort and underlining the personal responsibility that brings, the behaviours that make your employees a risk can be removed and replaced. Instead, you’ll have a vastly improved culture that can form a crucial part of your defences.