The number of small businesses falling victim to cyber attacks is on the rise, Law authorities and top cybersecurity experts are now warning that it’s not just blue chip companies, governments and celebrities that are under threat from cyber crime but small businesses as a growing number of cyber criminals target them.
According to cybersecurity firm Symantec, over the last four years an increasing number of cyber thieves have been targeting small businesses, viewing them as ‘easy targets’. Larger companies have ramped up their security and firewalls following a spate of big-name cyber security breaches; many smaller companies however are failing to do the same.
Symantec’s research shows that nearly half (43%) of all global cyber attacks during 2015 were aimed at small businesses. Criminals exploited the digital weakness of smaller firms to steal data, crash websites and send spam to customers. The World Economic Forum has identified cyber crime as one of the top global risks -and it’s on the rise. The number of malware pieces launched last year was up more than a third (36%) from 2014, reaching a worrying 430 million.
Data breach: Are you prepared?
With the number of companies suffering a data breach on the rise, is your business fully prepared? Read on to find out…
As technology becomes increasingly integrated into business operations, safeguarding sensitive data has become more important, yet more difficult, than ever before. By definition, a data breach is any incident where private, protected or sensitive information is lost, stolen or used by an unauthorised person.
All businesses, regardless of size, are susceptible to a data breach, with companies such as T-Mobile, Nationwide Building Society, Morrison’s Supermarket and Sony PlayStation Network all falling victim in recent years. According to its data security incident trends report, the Information Commissioner’s Office (ICO) received 559 new data breach cases from July to September 2015; a staggering 43% increase on the number of cases received in the previous quarter. The ICO also recorded a 49% increase in views of its ‘Report a breach’ page between Q1 2015/2016 and Q2 2015/2016.
One single breach could end up costing thousands of pounds, and that could spell disaster for any business, particularly smaller firms with fewer customers and limited cash flow. Needless to say, how you act in the immediate aftermath of a data breach could make all the difference in the recovery and reputation of your business.
Planning for the worst case scenario will help you to cope in the event of a data breach, and it may limit the likelihood of one occurring in the first place. Steps to take include:
Creating an Incident Response (IR) plan
It’s essential for all businesses to have an IR plan in place, which should include a definition of a data breach and a step-by-step process on how to deal with one. This plan will help you to respond effectively and in a timely manner should a data breach occur.
Identify relevant threats
When devising the IR plan, identify the risks relevant to your organisation. Your threat landscape will be largely determined by how your business operates. For instance, if you offer online services you could be susceptible to a denial-of-service (DoS) attack, whereby cyber criminals disrupt and suspend services in order to make networks unavailable to users. As your business grows and adapts these threats may change, so they should be re-evaluated on a regular basis.
Educate staff and put your IR plan into action
Once you have developed an IR plan, distribute it to all employees. Explain how they can help to prevent a data breach and discuss their individual roles in the event of a breach. Put the IR plan into action at least once a year, as doing this will enable you to analyse its effectiveness and ensure you and your team are able to respond to a breach in the appropriate manner.
If you do suffer from a data breach, here’s what you should do:
1. As soon as the breach has been identified, you must move as fast as possible to evaluate how serious the breach is. You should immediately follow the process set out in your IR plan.
2. Don’t worry about the root cause of the breach; focus first on containing and destroying the threat and restoring the service.
3. Communicate to all key stakeholders about the possible data breach and keep them updated on developments. It’s important that you are open and honest about the breach –do not attempt to hide any information from them.
4. Following this, your customers need to know about the breach. It’s more effective to create a response template that can be immediately distributed in the event of a breach. Keep it short and sweet: explain that your business has become aware of a possible breach and is trying to fix the issue as quickly as possible.
5. Following a data breach, ask yourself: did my team and I handle the breach effectively? Was the IR plan effective? Evaluating all incidents will enable you to make necessary amendments and plan for a more effective response in the future.
Don’t let data loss torpedo your company’s future
Modern businesses trade on trust and customer data, but both can vanish overnight in the event of computer failure or cyber attack. Are you doing enough to protect against this threat?
It’s one of those moments we all dread happening to us: your desktop computer suddenly makes an alarming noise and blacks out, never to turn on again. Or you go to pick up your laptop bag, only to find it’s been whisked away by a thief.
As the reality dawns on you that your device and its data might be irretrievably lost, many of us maybe asking: Why didn’t I secure my data?
According to The Guardian, 78% of all organisations have experienced a data breach in the last two years, and 60% of small and medium-sized businesses don’t routinely back up their data. It’s never been more important to take data security seriously.
An economy reliant on data
Today’s digital economy relies on vast flows of data racing across the globe and through cables under the oceans. We all send emails, photos and social media updates. Organisations collect sensitive data about almost every element of our lives, from our car insurance to our taste in clothes and even medical conditions.
We expect all this information to be stored securely. If companies fail in their duty to protect this data, accusations, lawsuits and even prosecutions may follow from customers, shareholders, business partners and regulators. Data loss is a major risk to a business’ reputation and profitability as has been shown by recent high profile incidents; a study by Diffusion Group found that 72% of companies cease trading within two years of a major data loss.
How data can be lost
There are two aspects of data loss. It can either be lost in the sense of being no longer accessible – for example, on a corrupted hard drive or server destroyed by fire. Data can also be overwritten through human error -for example, by saving the wrong version of a document, or lost by a system malfunction.
Data can also be lost through outside agents stealing it, whether they leave behind a copy or not. This can happen through malware which steals details such as credit card information, ransomware which permanently encrypts data unless a business pays for decryption, or simply by a device such as a laptop being stolen.
The consequences of deleting data
Data is a valuable asset and losing it can cause major embarrassment and loss. For example, if you offer a hosting service for customer photos and you delete some files, you are likely to face considerable anger at all those lost memories. If the data is for internal use, such as billing information, you might be in the awkward position of not being sure which clients need to be invoiced.
With today’s big data approach to sales and marketing, information is a hugely valuable commodity and the loss of it can compromise your ability to develop as a business, even if it doesn’t impact on your customers.
The consequences of a data leak
As the recent TalkTalk experience shows, detecting a data leak can be excruciating for a business. In the case of TalkTalk, the head of the company told customers their data, including financial details, may have been leaked and it may not have been encrypted. It’s hard to imagine a worse scenario for a brand’s reputation. Many data breaches also require a company to self-report to the Information Commissioner’s Office (ICO). Possibly resulting in disciplinary action being taken by the regulator.
Cyberattacks can not only target financial data, they can also steal highly confidential information. The recent Ashley Madison fiasco, in which a dating website for people seeking to have extramarital affairs was hacked, is an example of how the release of sensitive data can have life-changing consequences.
How to secure your data
Every business is different, so you may need to consult an expert to identify your full risk profile. However, the following steps are likely to help:
1. Install antivirus/malware protection and firewalls –and keep them updated, some cybercrime policies insist this software is a paid for service and not one of the free options available.
2. Don’t forget to install protection on laptops, mobiles and tablets too
3. Add password protection, and change passwords at least every month to 45 days.
4. Develop a data protection policy and train staff in best practice
5. Use secure documents with digital signatures and password protection
6. Think about paper too –don’t overlook printers and hard files
Are you doing enough to protect your business’ data? How much of a risk is data loss to your future prospects?