A recent government survey reveals that 4 out 10 businesses reported having experienced a cybersecurity breach in the past 12 months. This figure was even higher for larger organisations. In this article review the top 8 cybersecurity risks businesses face and suggest ways that you can defend against them.
The terms threat and risk are often used synonymously but from a cybersecurity perspective, it’s best to think of them as distinct issues. A threat is something that might attack you; a risk is something you forgot to do to minimise the possibility of that attack or its effects. So, for example, ransomware is a direct threat but the unpatched software vulnerability or weak security policy it exploited to execute the attack would count as the risk. Risks can also be more general, for example, the cost of remediating a successful attack, which reduces a business’s profitability or hurts its reputation. So, what are some of the biggest risks faced by SMEs?
The risk of compromise
Surveys show cybercrime against UK businesses has been steadily increasing every year for 20 years or more, a sobering trend that shows no signs of slowing. A UK Government survey from March 2021 found that 39% of all businesses reported experiencing a cyber breach in the previous year, a figure that rose to 65% for medium-sized businesses and 64% for enterprises. It’s possible some of the difference between small and large business isn’t attack frequency so much as better attack detection. The figures were an improvement compared to 2020 but, again, this might simply reflect detection in a year affected by the pandemic.
Solution: compromise is inevitable; incident response is plan B. Consider achieving accreditations such as Cyber Essentials Plus or ISO 27001.
Cyberattacks costs
Attacks are now so common, arguably their frequency is less important than the cost of remediation, which has risen precipitously in the last five years on the back of extortion and ransomware. For enterprises, these costs run to tens and even hundreds of millions (BA, Marriott International, Norsk Hydro and many others). According to insurance provider Hiscox, the average cost of cyberattacks for SMEs, including business interruption and ransoms, was £11,000. A separate estimate for 2019 from the Federation for Small Businesses (FSB) put the cost for an SME at a much lower £1,300 per incident, which sounds reassuring until you realise the FSB noted there were nearly 10,000 of these each day. The takeaway here is not simply the obvious point that cyberattacks cost money but that these costs can vary unpredictably from modest to crippling.
Solution: the prepared SME is the one that will write the smallest cheques. Make sure you have all of the necessary protections in place to avoid ransomware.
Data breaches and leaks
A common data breach/leak misconception is that they’re always caused by criminals. However, in many cases, this was only possible because the criminals discovered a misconfiguration that gave them access to data. This isn’t splitting hairs; the failure to secure data has turned into one of the commonest reasons data breaches are possible. Sometimes this is a straightforward error during which data is left in an unprotected state, for example as part of application development. In other cases, the root cause is more complex. An example of the latter is the failure to properly anonymise data, that is remove personally identifiable information (PII) that would allow it to be associated with a real person. Infamous examples of this include the 2014 incident in which the PII of New York taxi drivers was re-identified by a researcher from supposedly anonymized data.
Solution: minimising internal mistakes is a priority. Ensure your staff are properly trained in cybersecurity best practices.
The remote insider
A recent survey by the Institute of Directors (IoD) of almost 1,000 UK organizations found that 74% planned to continue with home working even when the effects of the pandemic recede. Of these, a surprising 44% believed that working from home was proving to be more effective. Some of this enthusiasm might reflect larger companies but even among SMEs anecdotal evidence suggests that the long-term trend to work remotely has accelerated. What’s harder to factor is what effect this has on cybersecurity. From a cybersecurity perspective, home and office are different environments; the security of the home broadband network is uncertain and work computers must share this with numerous other untrusted devices. Mistakes that might be easily remediated in an office – opening an infected attachment – can remain invisible for far longer in a home setting. Some home workers also get into the habit of sharing work devices with family members, a clear data security risk.
Solution: endpoint isolation; least privilege; authentication.
The supply chain
The SolarWinds nation-state cyberattack has been a big wake-up event for the cybersecurity industry. In that attack, a widely used software vendor was compromised by inserting a backdoor into its software, allowing attackers to penetrate numerous large customers. This poses a risk to SMEs on two fronts. The first is that although nation-state attacks usually target enterprises and specialist companies rather than SMEs, SolarWinds has handed commercial hackers a proof of concept that this layer of vulnerability exists. Undoubtedly, attackers have the resources to look for similar weaknesses to exploit for profit. Second, SMEs in some sectors are either part of enterprise supply chains or depend on them.
Solution: Consider achieving accreditations such as Cyber Essentials Plus or ISO 27001.
Invisible patching risks
Patching – of failing to patch – is a known risk. But what if a vulnerability exists which is not only not patched, but invisible? A good example of this is firmware vulnerabilities, a layer not monitored for threats or exploits by the majority of endpoint security systems. To date, attacks targeting firmware have either been by researchers or, less frequently, nation-states, the appearance in 2020 of ransomware looking to infect the UEFI BIOS is a warning this is on the cybercriminal radar. Ditto Intel’s Management Engine (ME), which exists in all PCs from the last decade, and is regularly patched for security vulnerabilities.
Solution: Assess firmware patching capabilities before buying equipment.
Legacy equipment
Examine most organisations’ network and you’ll find layers of legacy equipment, including servers, applications and network equipment and devices which have their life extended for financial reasons. The simplest definition of a legacy product is one that no longer receives security updates, although a more realistic approach is to compare the security design and features of a given product with its up-to-date equivalent. By that measure, for example, versions of Windows/Server before Windows 10 are all risky; Microsoft still supports some with updates for organisations willing to pay but those versions are not as resilient to compromise as later versions.
Solution: Upgrade as soon as possible; isolate or restrict the use of other legacy systems.
The cloud and SaaS
Many SMEs are keen to consolidate on-premises applications and servers using public cloud platforms such as Microsoft 356 or software-as-a-service (SaaS), attracted in part by the security protections they offer. While in principle, this reduces an organisation’s attack surface (applications running on fewer services), it does not necessarily reduce the protect surface (that is, the vulnerability of data and users within that). An organisation’s data still exists somewhere, and in the cloud the risk of a misconfiguration that leads to a data leak remains high. This raises the issue of compliance, and where blame might lie should a breach occur. That can sometimes be difficult to pin down.
Solution: cloud penetration testing is one place to start.
