THERE is a common misconception that the smaller you are, the smaller target you are to a cyber attack. This might have been true some years ago, when hackers (also known as "threat actors") went after bigger companies. However, we are seeing increased commoditised attacks in recent years. Attackers now have the capability to rent or buy online the tools they need to attack and gain access to their victims.
So what can we do about this escalating threat? There are several ways in which SMEs can take a stand to help prevent or deter attackers.
Most data breaches come from human interactions. It has been so for a long time, and still is the case. Attackers can deploy e-mail phishing attacks to trick users into revealing personal information, or lure them to download and execute malicious code.
Education of end users is the key to help prevent this from happening. Most types of ransomware use this technique to gain a foothold into an organisation. Some enterprises have even crafted their own test-phishing e-mails and sent them to their employees to see if they could be fooled into clicking the malicious link and tailor their education in response.
Educate well and educate often. Do not become complacent.
It may sound old, but backing up your data is as valid as before as it is today. If you have ever been a victim of ransomware, you will know the value of backing up your important files and data.
3. Separation of duties
Whenever possible, look at who has access to your data. Does everyone in the company need to have access to all the data? Look at employees who have moved in the company and ensure that their access levels are adjusted with their job scope and department. Do not allow for "access creep" beyond what is needed for the employee to perform his or her duties.
Bring Your Own Device (BYOD), or as I like to call it - Bring Your Own Disaster. Many companies are either using BYOD or are looking to implement it.
There are software and hardware tools that can be implemented to control data on the device, and minimise chances of data leakage. These are valid ways to secure data on the device.
E-mail can be controlled by the server such as how long data can be stored on the device. However, there are companies that have decided not to go down this path for many reasons. Some have simply implemented a contractual agreement where they allow their employees access to company data, but the company reserves the right to wipe the devices clean when the employees leave.
Both are valid ways to reduce the security risks of BYOD. It depends on the capabilities of the company to implement a technical solution.
5. Understand the value of your data
Every company big or small has to appreciate the value of its data. It is crucial to classify your valued data, set appropriate permissions, as well as implement a security defence strategy around it. This is especially so for data that changes with circumstances and time, like the features of a unreleased smartphone.
6. Have an action plan
Former FBI director Robert Mueller once said: "There are two types of companies out there. Those who have been hacked and those who will be hacked."
While most companies have crisis management plans in place for the physical destruction of their properties and assets, few have developed a triage, recovery or business continuity plan to manage cyber attacks. Take, for example, the recent incident where tech major Yahoo took over a year to announce their breach, resulting in huge public criticism and a drop in their share price.
Applying the same scenario to a SME, it could cause severe loss of business, or even force it to close.
More and more organisations are looking to insure against data breaches, to protect the value of the data they own. Similarly, insurance companies are now looking to put a number on the potential loss value for organisations in the case of a data breach. However, this does require a process to review and value what data you need insured.
8. Hire the good guys
One of the limitations smaller companies face is manpower resources. This is especially so when there is a global shortage of security expertise, making it very challenging for SMEs to hire relevant professionals. One way SMEs can work around this is to look into working with established security vendors to leverage on their expertise.
- The writer is head of Security Engineering, APAC, Middle East and Africa, Check Point Software Technologies.