Cyber-criminals are increasingly targeting organisations and their employees by using customised malware and social engineering. Users need to be educated about the dangers on the Internet and how to avoid threats like malware, suspicious e-mails, suspicious social media links and email attachments from unknown sources. They also need to be careful when sharing information on social networks.
This guide will help you to understand the serious security risks to IT assets, manage those risks effectively, and reduce or eliminate them.
Why is IT security a concern?
The Internet has made it easier than ever before for SMEs to do business, but it’s also raised the number of threats to smaller companies and their IT departments. The biggest risk is seeing their intellectual property, customers’ information or financial transaction data fall into the wrong hands. That’s why you need to protect your small business from cyber attacks.
Hackers, scammers, and identity thieves are constantly coming up with new ways to maliciously attack businesses. Security software company Symantec, in its annualInternet Security Threat Reportfound that even as the number of vulnerabilities in 2011 fell by 20% over the previous year, the number of malicious attacks grew by 81%.
In itsTop Cyber-Security Risks Report, HP also found that the number of vulnerabilities in 2011 fell by 20%, but that the risks involved in those vulnerabilities grew. HP also found that the number of cyber-attacks more than doubled in the second half of 2011. SMEs are extremely vulnerable.
More than half of the targeted attacks in 2011 were aimed at organisations with fewer than 2 500 employees, and almost 18% were targeted at companies with fewer than 250 employees.
Here are the top ten IT security risks for SMEs and how to fix them:
1. Trust abuses.
People are naturally trusting and may unknowingly play along with unscrupulous con artists who abuse people’s trust to compromise – or steal – company property. Make sure that your employees know how to respond when receiving a suspicious phone call or e-mail. That will help to create a culture of awareness and accountability that will lead to better protection for the business and its data.
2. Loss of accountability over employee accounts.
Shared passwords and accounts are a common occurrence in small businesses because they are convenient. But without unique passwords that are only known by their rightful owner, accountability for any actions conducted using the account in question cannot be established. SMEs must inculcate a culture of accountability that begins with properly defined and enforced security policies.
3. Insider threats.
To prevent against damage perpetrated by employees with too much access, small businesses must ensure that employees are aware of their responsibilities and system privileges. Everyone must be trained annually on security awareness. All employees should sign documents indicating that they understand the training, policies and agreements.
4. Malware infections that lead to data and productivity losses.
Automatic software updates – such as anti-virus files and operating system patches – are often all that’s required to keep up to date with the latest system vulnerabilities.
Malware is a significant concern for SMEs, given that many legitimate websites have been compromised by malicious code. You need strong endpoint protection that combines traditional antivirus and anti-malware abilities with new reputation-based technology. All that should be used with browser protection to keep malware from infecting systems.
5. Malicious breaches that continue indefinitely.
By adequately monitoring attacks, error logs and changes on the network, small business owners can make informed decisions about investing in security. Outsourcing your monitoring needs to a managed IT service provider, makes good business sense.
6. Hijacked domain names.
Loss of control over internet properties is a serious business disruption. Attackers – who usually demand a ransom – often redirect websites to illicit destinations, and intercept the conversations of unsuspecting employees and customers. Ensuring that Internet domains and hosting accounts are secured will help to protect against this type of crime.
7. Data breaches, interception and access
Lost data cannot verifiably be recovered with the damage undone. Once copied or transferred, those actions can’t be undone. The only effective way to prevent breaches of confidentiality is to encrypt data. To protect your business data and make people accountable for their actions, you must ensure that proper encryption takes place at all steps of the information lifecycle.
8. Breaches caused by infected devices.
Whether employees connect to work to read their e-mail or plug in an iPod, there is a potential for infection from devices that are used outside the relatively safe network perimeter. Connecting to work systems should be done from a dedicated work computer and not one shared by the entire family. Personal USB devices should be banned in favour of company-supplied ones that come with built-in data encryption.
9. Business interruptions due to backup data issues.
Backup and restore processes are often improperly tested and result in data and productivity losses. Many businesses are then forced to suspend operations for weeks, and may never recover as a consequence. Ensure that proper backup encryption is in place and that recurring restoration testing is performed. That way, the risk of losing data can be controlled.
10. Physical breaches and theft.
With the focus firmly on hacking and cybercrime, low-tech crime is often forgotten. In South Africa in particular, physical theft is a massive risk. Physical security measures such as bike locks and fully encrypted hard drives should be used as preventative controls against this type of crime.
Create a Comprehensive IT Security Policy
To protect your small business from the number of threats and risks that are out there, you need to develop a good defence strategy.
It’s advisable to employ multiple forms of protection, from endpoints throughout the network (firewalls, intrusion-detection and gateway antivirus technology), monitor the network and implement intelligent security policies. Limit access to secure passwords, and educate your employees about how to use social media without leaking sensitive company information.
Small businesses should also consider restricting the use of portable file storage devices – like external USB drives – to protect against malware. Keeping security solutions and patches up-to-date is also important.