We all live in a digital age – irrespective of the location, size or industry in which your business trades, you will 99.9% likely be reliant on technology for the majority, if not all, of your business operations. From sales, marketing and customer service, through service delivery and fulfilment, to invoicing and finance – technology is the backbone support on which business is conducted in the modern day.
Residing upon that technology backbone is the data that makes our businesses tick – the customer records, product information, stock records and financial transactions; all of which you will be 100% reliant upon for the productive and profitable operation of your organisation.
At first glance, we tend to consider the things we can see as the things that are more important to us, but, today, that is not the case. With the literal security of people’s livelihoods residing in the ‘hands’ of our data and technology tools, the behind-the-scenes spine of modern business couldn’t be more integral and therefore it is of paramount importance that we protect it in any way we can.
In recent times, our absolute dependance upon technology has only increased, fueled not by the desire but the need to establish remote working environments – ensuring the survival of the operations of our businesses in a challenging environment.
In this guide we will be exploring the validity of the cyber threat, its impact in the small to medium business community, the range of threats and how to best approach mitigating the risks to your operations – combined with how this has all changed and been exacerbated in a post-COVID world.
It is time to treat data security in the same way as physical security.
It seems unthinkable to not set the alarm and lock the door when you leave the office. For most it would be a ‘no brainer’ to have gates, fences, barbed wire and cameras around the perimeter of your premises.
Why? Because we have a natural aversion to threats.
It is bred into us to be risk adverse and to ensure that we provide ourselves with as much protection and peace of mind as possible by mitigating any threat that may cause our business interruption, financial damage or reputational loss.
So, why don’t businesses generally apply the same caution and distrust in a cyber sense?
As we are living ever more in a digital age, with the physical (in a number of industry sectors) becoming less and less relevant, we strongly believe that we are beyond the time when we can still be apprehensive about defending against inconvenience and theft in a digital sense as well.
What is the threat landscape?
With the shifted reliance from physical to virtual, it is only natural that the threats would follow suit - we are not only threatened by those bent on undertaking criminal activity via whatever means at their disposal, but there is now a whole new world of threat actors that include foreign governments and networks.
Despite disruption to technology not being something new, with viruses and malware having caused hundreds of millions of pounds in losses and downtime for years, the seriousness with which cyber threats are taken within the small to medium sized business community pales in comparison to those of us that employ physical security defences.
The number of cyber criminals is growing too – no longer is the ability to conduct a cyber attack limited to expert hacker types. Through the Dark Web, underground communities are sharing malicious software tools and scripts that permit the relatively unskilled to easily undertake their own cyber breaches.
An ever-increasing upward trend in attacks, a growing pool of threat actors and an absolute reliance on technology and digitally held data must force businesses of all shapes and sizes to act.
Why and how has this worsened with remote working?
In the last year, reports show a 20% growth in attempted cyber attacks - with nearly 700,000 reported attacks within the UK alone, although the real figure is likely to be much, much higher. This large growth is likely in-part to a change in the way most businesses were working, fueled by the COVID-19 restrictions – the advent of home working went hand-in-hand with a lowering of people’s guards to best cyber security practices in order to permit the ease of working away from the office.
Personal devices
Due to the requirement to switch from the office to home working environments at breakneck speed, many businesses were forced to implement ‘BYOD’ (bring your own device) policies – asking staff to use their own personal computers or laptops to enable them to return to working as swiftly as possible.
With that switch came an instant relaxation of protocols and defences that would typically reside on company-owned IT assets. Few personal computer users install any, let alone comprehensive, cyber security defences beyond the basic anti-virus installed as part of their operating system. It is also not uncommon for personal devices to be running with outdated versions of software and operating systems – versions that are no longer supported and are, in fact, in breach of legislation, including GDPR (based on the rules of the handling of data on up-to-date supported systems).
Beyond potentially being in breach of legislation, with the lack of cyber defences in place, businesses are unwittingly opening up their data to theft, corruption or loss by permitting home users to store, access and process company sensitive information locally on their home devices. Perhaps worse, is the fact that those home users are opening the door to cyber criminals to cause more widespread damage or to steal data more broadly from across the business.
Company devices at home
Even if you are a business that operates entirely from company issued devices but in a home working environment – don’t let your guard down. The difficulties in collaborating, communicating and being productive away from the office network can result in staff taking to their own means of work – known in the industry as ‘Shadow IT’.
Shadow IT is the unauthorized non-company software and hardware, cloud apps and services used within a business – tools which will often be free and are not designed for commercial use and potentially US-based, some of which will store and process company data outside of the UK.
Staff, in most cases with the best intentions, will seek out what they think is the best means of getting the job done when they don’t have access to the tools they usually utilize in the office – but often this can be to the detriment of the bigger picture of the business. Apps that you do not control could be exploited or may be in breach of your compliance obligations, and therefore cause a much larger problem for the business the longer they continue to be used.
So, beyond the need to ensure best cyber security practices are maintained by staff while working at home, the need to arm them with the best tools to complete their work – in a secure and controlled environment, which is in the control of the company – is also vital. Business tools, such as the Microsoft 365 environment, can be more effective platforms from which remote working can be conducted securely and efficiently, as opposed to traditional server-based applications and file storage.
What action are Governments taking to see businesses better protect their data?
To encourage the seriousness with which businesses take the security of data, Governments and Industry Regulators are clamping down from both regulatory and supportive viewpoints. The ‘carrot and stick’ approach is designed to increase the level of defence applied within organisations, not only to personal and private data but generally to any information a business might store, process or share.
Regulation
The inception of the GDPR (General Data Protection Regulations), that came into effect across 25 European states in May 2018, has been the biggest shake-up to the way personal data is collected, processed, stored and shared, in years. Countless organisations implemented new controls and systems to ensure compliance across all data handling to the new regulations’ standard – however, a number of components of GDPR are often overlooked.
There is an expectation that organisations will implement suitably adequate cyber security controls, policies and procedures, in addition to the controls set up for compliance, relating to the way the data is collected and handled.
Further to cyber defences, you may be surprised to hear that there is also an obligation to appropriately backup and be able to recover data within GDPR.
Regulators have done this to ensure that not only the organisation itself handles data with integrity but that steps are being taken to prevent it from inadvertently leaking, becoming corrupt or from being stolen by third parties. From a recovery perspective, you must be able to provide (upon request) the information that you hold on individuals.
Outside of GDPR, there are a wide variety of rules and regulations that apply in a number of unique industry settings. They will often be more specific than GDPR, as they relate to the tailored data points relevant within that particular industry, but at their core. The same best practice expectations will apply as detailed within GDPR.
Whether you are a healthcare organisation and therefore subject to the more intense medical information regulations enforced by the CQC, or you are a solicitor and are bound by the legislation overseen by the SRA, as an organisation you will be expected to demonstrate that you have taken a considered approach and implemented actions to protect data.
Support
The UK Government are also specifically working to support and encourage businesses to take practical steps towards a more secure and compliant digital future, which is delivered through their Cyber Essentials programme lead by the NCSC.
Cyber Essentials provides businesses with a ‘kitemark’ style certification, which permits them to publicly demonstrate that they have taken steps to protect the data that they handle. Beneficial in acquiring new business opportunities in both private and public senses, Cyber Essentials is now a core requirement for any organisation seeking to secure Government-tendered business contracts.
Attained by completing either a self-certification questionnaire online or through a detailed audit (depending on the grade of certification), Cyber Essentials makes acquiring comprehensive cyber defences attainable to businesses at all levels.
Independent accreditation bodies conduct the assessments and award the certificates. For those businesses that lack the technical expertise within their own ranks, specialist IT support providers (like ourselves at Datek) can provide the guidance you need to be ready to apply for your own Cyber Essentials certification and achieve it on the first attempt.
What is the potential impact of those threats?
In days gone by, it would have been a mild inconvenience to have a PC or two knocked out by a virus, or suffer the annoyance of thousands of popups cluttering your desktop. It goes without saying that the potential ‘endgame’ impact has moved on quite considerably – these days, quite literally, the protection of livelihoods is at stake.
Whether it is the goal of the attacker to disrupt, corrupt or steal your data, your operational, financial and reputational loss will extend far beyond a few hours of inconvenience.
There are a wide variety of cyber threats, each designed to inflict pain in their own unique way. These include, but are not limited to, two main camps:
Malware (including Ransomware)
Malware (or malicious software) is the broad umbrella term for any unauthorised and undesirable software that is designed to manifest itself within computers and networks.
The software may be designed to strike instantly upon installation or may lie in wait, silently acting without the user’s awareness. Some of the actions undertaken by malware include:
> Ransomware
As the title suggests, malware that is designed to hold a business to ransom by removing access to data – not only on the local device but on the entire network - if the threat is not identified and stopped in its tracks.
It is the goal of the threat actor to demand considerable sums (often thousands of pounds) to return access to the files within their control.
Ransomware can deploy itself onto machines via a number of means – most commonly through email attachments (hiding in disguise as a genuine file, such as an invoice) or by duping a user into clicking on a disguised weblink of a malicious website.
> Keylogging
Keylogging software is designed to silently install itself onto a user’s device and, over a period of time, collect enough data from the user’s system key entries (tracking everything they type into their device), which it will feedback to the cyber criminal – in turn providing them with visibility of sensitive information and access credentials, such as usernames and passwords.
> Trojan Horses
Disguised as a legitimate file, a trojan horse is designed to provide a hacker with a variety of things that could include the deletion, modification or corruption of your data, the ability for them to harvest your data, spy on a device (such as accessing the device’s webcam or microphone), and even the ability for them to connect into your network.
Phishing Events
Unlike malware, phishing is not an application but a name given to ‘con artist’ style approach to a cyber attack. The goal of a phishing attack is to lure unsuspecting individuals into sharing sensitive information or dupe them into acting on the instructions of the cyber criminal by cleverly masking their approach behind what, at first glance, might appear to be a legitimate request.
Phishing attacks are most commonly conducted by email and, if well-tailored, will mask the attack behind a reputable brand that is familiar or relevant to their target audience.
Most people will be aware of phishing attacks in their personal lives, having seen suspicious looking emails purporting to be from a bank or a Government department; but, in a business sense, phishing can be far more sophisticated – masking emails as customers, suppliers or even as senior colleagues to overcome issues of recognition and trust in conducting their attack.
Also, unlike malware, the defence against phishing events is a far less technically reliant one as it is not so easy to have software detect and filter-out potential attacks. Email filtering can look for known threats and gaps in the attempts of threat actors, such as one of a number of email security parameters not being met, but this line of defence is not infallible – the core defence against a successful phishing attempt is always an educated and aware user.
What is the likely impact of doing nothing?
From a few hours of inconvenience to considerable financial loss or regulatory penalties, the costs of a cyber attack, at any level, can be considerable. And the net impact far worse should your business fail to take any reasonable steps to defend against the risks in the first place.
For full consideration, the impact landscape of failing to act against cyber threats includes:
> Operational downtime
Almost all cyber attacks will result in your IT being disrupted – whether a solo computer or your entire network, the inconvenience of hours or possibly days to rectify the problem, re-enter data and restore service is time that most businesses cannot afford to lose.
> Financial loss
The cost of operational downtime will likely be an invisible financial cost to the business in lost productivity hours. But, beyond time, should you fall victim to a ransomware attack and opt to pay the ransom, the financial loss to your organisation could be substantial.
> Reputational loss
Should you suffer as a result of a cyber attack, and that attack becomes public knowledge – whether unintentionally or because you have lost client data and are duty-bound to let them know – your reputation is at stake. Any loss of reputation will influence an even greater financial loss.
> Regulatory penalty
A successful cyber breach is likely to draw the attention of Government regulators and, subject to the legislation by which you are bound, may incur financial or even criminal penalties. This action almost entirely depends on demonstrating the level of consideration and the preventative measures you have in place, as part of your basic protection, to prevent such an event from happening.
How real are the threats?
It is not uncommon to find a level of ignorance within the small to medium business community – an assumption that cyber attacks are well targeted events that are aimed at enterprise organisations where there is more value or kudos to the attacker. While the latter point is true, the advent of unskilled ‘bedroom hackers’ has brought a much wider audience of organisation types into the attackers’ crosshairs.
It is true that, in most cases, enterprise organisations already have in place very high levels of technical and procedural defences and controls to protect against a myriad of cyber threats. Such levels of protection will deter the uninitiated cyber criminal from even bothering to attempt an attack – in real terms it is a little like a car thief. Why would they try to break into a Mercedes Benz with sophisticated anti-intrusion systems when an old Ford Mondeo could be broken into and driven away in moments?
FSB research has identified that small businesses are subject to around 10,000 cyber attacks per day – “with one in five small firms saying that a cyber attack has been attempted on their organisation in the two years to January 2019”. ¹
As one of the simplest and more lucrative forms of attack, phishing has been seen as the most common type of cyber breach – “with 530,000 small firms suffering such an attack over the past two years”. ²
The real-term figures are likely to have become far worse since this report, despite attempts being made by Governments and private IT organisations (such as ourselves at Datek) to increase education and encourage businesses to act.
The defences that will help you in tackling the threats.
There are a few areas to consider when working to implement comprehensive cyber defences within your business. For ease of planning and understanding, we have segmented these into three key areas, each of which require a different approach.
Technical
Software and hardware defences (such as firewalls, anti-virus, anti-malware, email filtering and VPNs) exist to secure networks and end user devices from breach. While defending you from what is trying to get into your network, these technical controls should also monitor and try to protect what is leaving your network – defending you against inadvertent data loss.
Beyond the fundamental, there are advancements in cyber security tools that go that one step further in employing a ‘belt and braces’ approach – tools such as endpoint detection and response can identify and kill breaches in their tracks.
Policy
There are limits to the technical controls you can implement – your people must still be able to perform and complete their day-to-day work with as little interference as possible; this is where policies come in.
To ensure compliant use of your technology and the best cyber security minded practices are adhered to, employing policies within your business is one of the best ways to mitigate against cyber breach.
Education
In the same way that policies help direct and control how people utilise IT, only through education can you ensure that they act as a ‘human firewall’ in their role as the last line of defence against attack.
You can deploy the leading edge of technical defences, but if your users are not educated and alert to the variety of threats that they might face you will forever be vulnerable to even the simplest forms of attack.
Keep your business ahead in a changing digital landscape.
We hope that you have found the information within this article useful, but if you have concerns and questions or need to ensure comprehensive steps have been taken within your organisation to defend against the dark arts of the cyber criminal world, we can help.
Our expert team take a consultative commercially-lead approach in identifying and implementing business data protection that works technically, financially and operationally for your business's requirements.
Implementing adequate cyber defences need not cost the earth – there are many fundamental controls that can be sourced and implemented at an accessible price point, ensuring that the risk vs reward for your organisation is always tipped in favour of defence.
Please make contact with our team today to explore the options that will best fit your business’s needs.
We're Datek Solutions
Since 1998 we have been managing IT support, solutions and strategy for a range of clients. We have won awards for our excellent customer service and pride ourselves on being transparent. What you see, is what you get.
What makes us different? We don’t use a one-size fit all approach. We get to know your business and everyone in it, what it needs and how we can support you to give the best solutions at the best possible prices.
Above all this, we are committed to keeping it simple for you. If there’s a solution that your company needs, or you already have and it’s essential we support it, we make sure we know everything there is to know about it.
Contact us on 01753 540000 or email us at contactus@datek.co.uk.
¹https://www.itpro.co.uk/security/cyber-attacks/358276/2020-the-busiest-year-on-record-for-cyber-attacks-against-uk-firms
²https://www.securitymagazine.com/articles/90688-small-businesses-in-the-uk-suffer-10000-cyber-attacks-daily
