It’s perhaps a little ironic that at the same time as I was being dispatched to the Mobile World Congress in Barcelona last week to talk with security evangelist Tony Anscombe, from the pioneering IT security firm ESET (https://www.eset.com/), my PayPal account was being hacked and several hundred dollars illegally removed from my bank account (expect a blog post documenting the resolution process soon).
Yes folks, I can testify to the fact that the threat of online fraud is a very real one and even us well-seasoned eCommerce hacks can fall foul to cybercriminals if we are not careful.
The fact is, as businesses and individuals become ever more connected (and perhaps more complacent about the risks) the greater the threat from cybercrime. And it’s not just the big guys (who garner all the headlines when attacked) who are potential targets because according to Anscombe the threat is as great (if not more so) for smaller organizations.
“Companies of that size (SMEs) have very specific challenges. If I’m in an enterprise of 20,000 people, they’ve probably got 500 IT people and have a group of people in the organization who are security experts, whereas the smaller organizations will employ generalists. This isn’t to say they aren’t super-smart guys but they are generalists as opposed to specialists. Cybercriminals will look to target smaller companies because they are less protected or have less expertise in how to protect themselves.” Tony Anscombe, Global Security Evangelist, ESET
Regardless of company size, the consequences of a cyberattack can have wide reaching consequences for the business and its reputation.
Anscombe cited a data breach at the U.S. retailer Target in 2013 which cost the company more than $200 million dollars after hackers gained access to their systems via credentials stolen from a third-party supplier (a heating and ventilation company).
The fact is, your security is as strong as its weakest link and that weakest link could be an employee or a business partner with an unprotected smartphone, laptop or even just a USB memory sick.
The impact from a cyberattack can be devastating for a small business.
“If an SME had a virus coming in, they could probably deal with it but if you’ve been targeted as the conduit to your larger customer, the risk to your business reputation is huge.”
He added, that any company doing business with a smaller business, especially if they are putting in a network connection or taking data from them, should be doing some form of security due diligence.
So what can smaller guys do to protect themselves?
Anscombe suggests it’s all about following good practices. These include:
Two Factor Authentication
This is an extra layer of security beyond the standard password and username combinations used to access devices and software applications. Two Factor Authentication usually requires a specific piece of information that only the user has access to.
While this might sound complicated, you probably already use Two Factor Authentication without knowing it – as it’s generally used to access online banking services.
Knowing Where Your Data Is
Not as crazy as it sounds. If you have (for example) a salesperson with customer data on their own personal smartphone, can you guarantee that data’s secure? GDPR makes this very interesting because it requires all businesses (not just in the EU) to secure EU client data.
If you sell to or partner with anyone in Europe – you must adhere to the regulations. A good starting point is to turn off any applications you might be running on the background of your website which you don’t use and may be tracking customer/visitor information.
Are you managing all your devices correctly? Have you got anything that tells you what versions of what software you are currently running? Is your machine patched and does it have the latest updates on it?
Cyberattacks, like last year’s WannaCry ransomware attack which brought IT systems in the NHS in the UK to a grinding halt, often find vulnerability in poorly managed/maintained networks. Remember, prevention is always better than a cure (something the NHS should have known).
Carefully Manage Use of Bring Your Own Devices (BYOD)
If employees use their own personal devices (smartphones, laptops, etc.) it’s vital that devices are fully encrypted, protected with malware software and can be fully wiped in the event of theft or attack.
Employees should not be downloading unauthorized apps or software onto work devices or copying/storing data to personal devices and memory sticks (remember those GDPR rules). To demonstrate the point, Anscombe showed me how he carries two devices (work and personal).
The Internet of Things (IoT)
There’s a whole raft of other technology coming online and potentially connecting into business eco-systems. It’s important to understand what systems you are putting into the workplace and if there is a potential threat.
Some of them may not actually be securable. Anscombe suggests that business owners should host their business critical and non-business critical services on separate networks.
For example, online security cameras should not be connected to a network that has access to customer data. This means, if the security system is hacked, cybercriminals won’t find their way to more valuable data.
Human error often presents the biggest opportunity for cybercriminals to attack an organization. It is therefore vitally important that employees are made aware of the risks and trained to avoid “rookie” mistakes like clicking on links in “phishing” emails or downloading unauthorized apps to the network.
A New Threat
It’s not just “traditional” business tools that represent a security threat to businesses and individuals as any Internet-enabled device is a potential target for cyber criminals.
ESET have recently launched a new security product for Android smart TVs (https://www.eset.com/int/about/newsroom/press-releases/products/eset-launches-eset-smart-tv-security-to-protect-smart-tv-users-from-rising-malware-threats/) which protects devices against malware, ransomware and phishing attacks. Anscombe believes that the threat to these type of devices could come from an unusual source.
“We’re in the early stages of the smart TV market now. At this time, would I start downloading apps? No! Would my son play games on the TV and download a few apps? Maybe.”
Could your child be the biggest risk to your cybersecurity?
Anscombe then showed me an example of an unscrupulous Bitcoin mining app, constantly running in the background of a smart TV, stealing bandwidth, slowing your device down and making someone else money while you are watching your favourite soap or boxset.
While this potential attack might not put the fear of God into you and get you rushing out to secure your device, consider how you might feel if cybercriminals gained access to your device’s microphones and cameras without you knowing. Terrifying, isn’t it?
How secure is your business and personal data? Head over to our Facebook Discussion Group or use the comments section below.