Cyber security lessons SMEs can take into 2018

By Mark Piesing

What a year. Cyber attacks on the NHS, Equifax and the NSA, and the disruption and fear they caused, helped move cyber security from the technology section to front page news.

These attacks included headline-grabbing opportunistic attacks by ransomware and directed attacks to steal customer data. Attempts by the corporations concerned to cover up the theft of their customers’ data became as much of a story as the attacks themselves.

Then there is the “glamour” of the hackers who stole the secrets of the security state itself. And the could-have-been-me of the contractor whose security lapse enabled hackers to steal his employer’s sensitive data from his hard drive at home.

Let’s not forget what the “sloppy admin” of the Australian SME, which employed one IT staff member, led to. It is suspected state-sponsored hackers were able to steal details of the F-35 fighter and a number of other sensitive military programmes. How? The SME’s internet-facing services still had their default passwords.

Finally, this is the year when our latest gadgets have started to record our conversations, and when the fingerprint scanner or facial recognition software on our phones has successfully been fooled.

For many SMEs, the last 12 months must have felt like a maelstrom, with too few resources and too little time to deal with the latest threat, or the next one. However, it is important to remember the adage that some of the life’s best lessons are learned at the worst times. If this is the case, what can SMBs learn from the challenges of the last 12 months to improve their security over the next 12?

Get the basics right 

The cyber criminals in many of the attacks above relied on businesses not getting the basics of cyber security right. Important basic steps that everyone can do include measures such as changing the default passwords supplied with devices, use of strong passwords, regular backing up of your data, and training for staff. The hackers clearly understood that many SMEs were struggling to keep control of the technology they had sitting on their desks.

Devices in their office may be have been connected to the internet without fully understanding what data was being transmitted, to whom and for what reason. Or who, if anyone, had changed their default passwords and kept their software up-to-date – or even it was possible to do so.

Don’t get distracted

The headlines generated by this year’s high-profile ransomware epidemics can easily distract the leaders of small businesses from the threat posed by attacks directed at their businesses. Perhaps it’s time for SMEs to encrypt all of their data, so if hackers steal it they will not be able to read it.

Testing is the best form of defence

What the events of 2017 show is the need for SMEs to begin identifing the holes in their cyber defences before someone else does – and then block them. The tools they can use include risk assessments and penetration testing.

They could even employ their own hackers to do the job for them. As a result of the WannaCry attack, the NHS has just announced that it is going to employ “white hat” hackers to test their defences in order to identify weaknesses. White hat hackers are hackers who use their skills to help companies improve their security, rather than steal from them. Shouldn’t all SMEs?

That said, this kind of testing might not uncover every vulnerability a SME has – but it will be a start.

You can’t stop every attack

The attacks we have witnessed this year have been so devastating at times for the simple reason that the companies concerned were so hung up on preventing attacks that they didn’t think about what to do when one was successful – and it is a ‘when’, not an ‘if’.

Planning for the inevitable successful cyberattack doesn’t have to be expensive. It can be as simple as frequently backing up your data and working out what you are going to tell your customers when the worst does happen – and then doing it quickly.

The hacks of Yahoo, Uber and Equifax were made much worse for the companies and their customers by the delay in letting customers know that their private data had been compromised. 

Having that uncomfortable conversation with third-party vendors and contractors 

What the hacks of the NSA and CIA and the loss of the F-35 data show is that the security of many SMEs depends on the actions taken by others in the supply chain, sometimes three or four steps away. This includes actions like the consultant storing confidential documents on his hard drive at home, or the decision to not update passwords.

The lesson from this is that SMEs need to be prepared to have uncomfortable conversations with suppliers about the security they have in place and to be tough if the answers they get don’t satisfy them. 

Importance of organisational culture 

“The conclusion we can draw from 2017 is that one of the fundamental weaknesses in many companies’ cyber defences is something that no penetration test will discover – and that is when the leadership of a SME has dropped the ball,” says Greg Mosher, Vice President of Product and Engineering, Avast Business.

“Too often there is no cybersecurity policy, or where there is a policy it is either too vague or too narrow, and rarely followed through. Or, as seen with Equifax, did not act quickly enough. In the end, if SMEs learn the lessons from these tough times today then they won’t find themselves in the headlines tomorrow.”