Holding Data To Ransom – Surely That Only Happens to Big Business
Nope, don’t be fooled by the headlines. Headlines are intended to be attention grabbing, the media don‘t report on SME’s because they don’t grab attention as much as Google, BA or other big public organisations.
Cisco estimates that 54% of SME’s suffered a security breach globally in 2018
One small business in the UK is successfully hacked every 19 seconds, according to Hiscox.
Why would my business be targetted?
Cyber criminals don’t ‘target’ you as such, unless you hold juicy information that they could make money out of by selling to the press. The criminals aren’t interested in the information held on your systems about your clients. They are interested in the value your data has for you. They understand your data is precious to you and that you will pay good money to get it back.
The worst thing you can do is to pay the ransom and here’s why:
- You are funding further crime, ransoms are used to fund other types of criminal behaviour
- The cyber criminals will know you are an easy touch and will come back for more
- You may still not get an unencrypt key. Even if you do get one, it may not work
- Your data might be corrupted or have bits missing
- They may have further copies held elsewhere and publish these for sale on websites or threaten to publish the details publicly.
It can make or break your business.
How can I protect my business?
Create a security culture, that starts from the top of the organisation
All of us should have security of data at the forefront of our minds in everything we do, every single day.
Consider these easy measures:
- Think about what can be seen on a laptop on a train to a screen through a window
- Be careful with social media. What you, your staff and your family post on social media could expose you to risk. Lots of hackers will get to a CEO by watching what their families post on social media and then contact them pretending to be their son/daughter or another relative
- Be wary of information given out on a telephone call (vishing)
- Act responsibly with passwords; don’t leave passwords on post-its, don’t use the same password for every employee, the same password for every site/account.
Implement some quick wins that will help to protect your data and business:
- Staff are the gatekeepers to your data, make sure staff education consists of regular short courses that are interactive. Incentivise your staff to take part.
- Hold several backups of your data. Make sure they are in separate places (cloud too). And regularly test your backups.
- Encrypt as much as you can. Avoid using USB drives, they’re not necessary now we have cloud storage
- Use good strong passwords, you don’t need to change them often if they are secure enough, only change if they are compromised.Use a password manager rather than using the same password for every site.
- Run software updates, windows updates, firmware updates where they are available, these are vital to keep software and hardware safe from vulnerabilities. Yes they are boring and take time but they will often speed up a slow computer.
- Make sure you implement multi-factor authentication – something you know and something you have (password and a second method) avoid text to phone, use mobile authenticators applications where possible as text messages can be infiltrated by hackers too
- Use biometrics (face, retinal or fingerprint scanner) or at the very lease a pin code to your phone and other devices.
A full security audit and gap analysis is the most robust solution for SME’s who take their security concerns seriously.
Take a look at Cyber Essentials as a first step to Cyber Security within your organisation.