Achieving good basic security used to be simple: keep your applications up-to-date, get security software and install a firewall. But as online criminals become more professional, they’re employing different tactics to target small companies.
Don Smith, technology director at Dell SecureWorks, gives an insight into this complex area, explains how things are changing and how to keep up.
“Three distinct groups of security threats have emerged. First of all, there are the graffiti artists and ‘hacktivists’.”
“These people have always been around. They want to make a name for themselves and break into systems just to prove they can. They tend to go for high-profile organisations, so are less-likely to target smaller businesses.”
“Secondly, there are the financial fraudsters. In the past they might just have targeted consumers, but now we are seeing them target smaller companies too. Essentially, they’re chasing the source of transactions.”
“Financial frauds can be quite small individually, but those small amounts add up to make the fraudsters a lot of money. We’ve seen situations where business bank accounts have had small amounts of cash taken out regularly.”
“Finally, there are intellectual property (IP) thieves. This is an interesting one, because you might think smaller businesses don’t get targeted. However, a good proportion of smaller businesses are developing significant IP.”
“If they have any public profile – if they’ve been in the news, for instance - then they can be a soft target. They also might get targeted if they handle the IP of big clients, for example, a creative agency working on a big account.”
“More and more smaller companies are being attacked by cyber criminals, yet many still hold the view that they are too small to be targeted.”
“This leaves small organisations vulnerable to a number of risks, including attacks, data loss, service disruptions and reputation damage. Just like larger enterprises, small businesses need visibility into the threats that face their organisation.”
“Most small companies have got the message that they need to have anti-virus software. The problem is that they think that’s all they need.”
“Effective security requires constant vigilance. such as 24/7 monitoring, but most small companies lack the resources to achieve this level of security.”
“You need to really make sure your users realise that they’re on the front line. They’re very vulnerable to threats such as phishing attacks, and it’s very easy to slip and hand over credentials that compromise your business.”
“Good training is absolutely critical. Your workforce must understand that their actions can have a make or break effect on your company. It’s challenging, because people tend to give security training the minimum of attention.”
“A good option is to hammer the message home with user testing. At Dell, we send suspicious-looking emails to a sample of our staff each month. If someone clicks a link then we give them feedback to explain what they did wrong.”
“You might not have time to write a comprehensive security plan, so you have to focus on what matters.”
“Think about what data is critical to the operation of your company. It’s probably either going to be intellectual property or personally identifiable information about customers and suppliers. Really focus on protecting that key data.”
“On the plus side, many companies are using cloud computing services which means they don’t have so much IT in their business.”
“There’s been a lot of fear and uncertainty about cloud, but an average business can often actually strengthen security by storing their data in the cloud. Reputable cloud providers have the expertise and resources to ensure their services are really secure.”
“To an extent, yes. But there are still threats – and they tend to be different to the threats you’d face with an in-house IT system.”
“At the end of the day, when you’re choosing a cloud provider you have to trust them completely. If you don’t have the ability to do a full security audit, going for one of the bigger brands is usually a good idea. Their entire business hinges on trustworthiness, so you can almost guarantee that they’ve invested heavily in security.”
“You can also look for cloud providers who supply services into the finance and banking industries as they are likely to be much more secure.”