Where to start on a cyber defence strategy

Where to start?
Where to start?

2015 became something of a watershed year for cybersecurity, with high profile data breaches in large corporations seemingly making the headlines every other week. However, while attacks on household names are always very visible, the growing threat against fast-growing small and medium businesses goes almost unnoticed.

Our 2015 Trustwave Global Security Report found that roughly four in five businesses have suffered a breach in the last 12 months – but two thirds of SMEs still don’t believe themselves to be vulnerable to a security breach.

This false sense of security stems partly from the fact that many firms won’t even notice a breach has taken place, because the bad guys today have gotten incredibly good at being sneaky and successful. Growing businesses generally aren’t even investing enough in the technology to detect the most dangerous attacks, let alone protect against and respond to them. Consider this: PwC found that from 2013 to 2014, breaches of small to midsize enterprises rose 64 percent.

Why are SMEs being targeted?

Smaller firms lack the resources to equip themselves with the same sophisticated defences deployed by larger organisations, making them an appealing target for hackers. The automation of hacking tools makes it trivial and cheap for criminals to trawl the internet for weak targets and use the opportunity to scoop up information and systems that could be sold or used later. Growing companies also often have valuable intellectual property in their systems, as they tend to innovate faster than their larger counterparts, and depend heavily on IP for their market advantages.

Smaller firms are also seen as an easy way to breach the larger companies they trade with. By targeting firms that provide services like business consulting, billing services or temp staffing to large organisations, hackers can get around the bigger security budgets and tougher defences they deploy.

Dealing with technology

Smaller businesses enjoy much more agility than their larger counterparts, but moving quickly comes with its own risks. Our 2016 Security Pressures Report found that 44 per cent of IT decision makers felt the most pressure to migrate to the cloud, but 32 per cent also said it posed the greatest risk. Bring-your-own-device (BYOD) programs, unrestricted use of apps, and Internet of Things devices connected to corporate networks and machines are other popular new trends in technology that can introduce risks to the company.

It’s also vital that any tech in the organisation is kept regularly updated, as outdated software quickly leads to security gaps. Verizon found that ninety-seven percent of the attacks carried out in 2014 exploited just 10 known vulnerabilities in common software, such as Microsoft Office applications, Adobe Reader, Adobe Flash and Java.32. These were vulnerabilities for which vendors had provided software updates to fix, but victims failed to apply the patches.

Education is key

While technology is obviously key, many of the most common causes of security breaches can be addressed with simple user education. However, our 2014 State of Risk Report found that 65 per cent of organisations don’t train employees on security more than once a year, and 21 per cent have never performed any security awareness training at all.

One example is phishing scams, which target users with emails or calls impersonating senior staff, banks and others to trick them into sharing information. Training staff of common tactics and warning signs will stop most attacks in their tracks. Likewise, many users leave their systems wide open to attack with poor password practice, with ‘Password01’ still the most popular choice. In one study of close to a half-million encrypted passwords, security penetration testers from Trustwave were able to crack 51 percent of them within 24 hours and 88 percent within two weeks.

Where to start?

With so many potential risks to tackle, getting started on a security strategy can feel like an impossible task. Smaller businesses in particular may feel they lack the resources to even get to grips with the challenge, let along move to address it effectively. Asking themselves the below five questions will help business leaders to understand where they stand:

1) Are you 100 percent confident your current technology can spot stealthy attacks?

2) Is your business capable of investing the level of technology resources to establish a solid security foundation?

3) Can your in-house staff deploy and manage all of these layers of security technology and act on the intelligence they provide — even if they fear being blamed for an incident?

4) Do you have the resources to quickly respond to security incidents?

5) Does maintaining robust security make sense for the scale of your business?

Businesses able to confidently answer all of these questions are on the right track to keeping their data safe, but answering no to even one should be a major red flag. Enlisting a managed security services provider will enable them to protect their business without sacrificing agility and fast growth.