Understanding the cyber threats that small businesses face

Simon Vellacott
Security Portfolio Manager, Global Security Innovation, Vodafone

The Vodafone Cyber Ready Barometer 2018 Report has shown that 79% of businesses, with less than 250 employees, see cyber as critical - yet only 1 in 4 have adequate cyber maturity. This is a point that is not lost on their adversaries who are increasingly targeting small businesses to disrupt and subvert wider supply chains for their own financial or political gain.

It starts with awareness

For a small business owner, the first step on the cyber security journey is to understand the types of cyber threats that their business is facing. This can often be bewildering given the plethora and evolving nature of attack techniques. The most prevalent types of cyber attacks that small businesses need to ready themselves for include attacks where adversaries encrypt data and demand a ransom, commonly known as ransomware. Although these types of attack have been around for a number of years, their impact on society became extremely evident with the well-publicised ‘WannaCry’ ransomware attack, which affected the UK’s National Health Service (NHS) in May 2017 and organisations in over 150 countries.

There is also nearly weekly coverage in the media of organisations that have experienced a data breach which has led to sensitive information ending up in the public domain or being exploited by adversaries. This is especially important as new regulations, such as the EU General Data Protection Regulation (GDPR), have recently come into force with businesses facing stringent financial penalties where personal data is compromised. Often data breaches are the result of successful Phishing or Watering Hole attacks. Phishing attacks involve employees being duped into clicking on a malicious link within an email or opening an infected attachment. Whilst Watering Hole attacks entail frequently visited websites being compromised and malware being inadvertently downloaded.

Simple things matter

Getting the simple things right can be applied to many aspects of life and cyber security is no different. There are simple practical steps that small business owners can implement to put themselves on a surer cyber footing and to protect their largest asset – their business.

The UK’s National Cyber Security Centre provides independent advice to businesses through their Cyber Essentials scheme to enable businesses to enhance their approach to cyber security. Practical steps businesses should be considering to improve their cyber security include:

• Ensuring firewalls are enabled and configured for all devices – especially important for devices that are connecting to the internet or untrusted Wi-Fi networks
• Only using software, apps and accounts that are needed and protecting them with strong passwords. Employees using important applications, such as banking or IT administration, should also prove who they are by entering a numeric code that is sent to their smartphone or by using their fingerprint as a secondary form of authentication
• Employees should be set up with individual user accounts. Only employees that need admin accounts should be provided with them, thereby reducing the risk of accounts with admin rights being compromised. The activities that can be carried out with Admin accounts should also be controlled
• Protecting your laptops, smartphones, PCs and servers from malware and viruses by implementing and regularly updating anti-malware controls across devices. Phishing is a key method for infecting devices. It is therefore also important to increase employee awareness of phishing attacks
• Ensuring Operating Systems, software and devices are using the latest updates to benefit from fixes of known security vulnerabilities
• Regularly backing up important data on separate and unconnected storage to combat ransomware attacks.

An increased awareness of cyber threats and getting the simple things right are the first steps in enhancing your business’ cyber readiness and resilience in the face of the evolving threat and regulatory landscape.

Bibliography

[1] Cyber Essentials, National Cyber Security Centre, https://www.cyberessentials.ncsc.gov.uk/

[2] Cyber Security: Small Business Guide, National Cyber Security Centre, 2017, https://www.ncsc.gov.uk/blog-post/cyber-security-small-business-guide

[3] ENISA Threat Landscape Report 2017: 15 Top Cyber-Threats and Trends, 15 Jan 2018, European Union Agency For Network and Information Security, https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017

Cyber security is a key concern for organisations of all sizes. Protecting devices, networks, data and apps is an essential component of doing business. Vodafone provides security products and services to businesses of all sizes, helping you secure your business anywhere because we are everywhere. We are trusted by organisations globally, including utilities, financial institutions and government agencies. For more cyber security insights, you can find us on LinkedIn.