Which Aspects of Information Security it’s Crucial to Address for SMEs?
26.10.2023
Back to blog listCybercrime is predicted to cost the world $10.5 trillion annually by 2025, and global spending on cybersecurity is expected to reach $10 billion a year. However, most part of this expenditures is expected to be investments by large companies. So, the question arises, what should SMEs spend resources on?
Last year numerous large organizations, which invest in enhancing information security protection and often have a dedicated InfoSec department with professional IS specialists have experienced large number of incidents. The list of such organizations includes, but isn’t limited to:
- Large banks
- Governmental bodies
- Trade companies
- Telecom companies
- Manufacturing companies.
If even large organizations often fail to protect themselves against information security incidents, what should executives and other employees in charge of SMEs, which have much smaller budgets, which can be allocated on the InfoSec issues do? In this article we’ll share our thoughts. But, first of all, it’s important to understand, that, according to statistics, up to half of all cyberattacks target SMEs. What’s more, according to Barracuda Networks, small businesses are three times more likely to be targeted by cybercriminals than larger companies.
Owners of small businesses quite often don’t pay enough attention to cyber security as they believe, that, because of small company’s size, intruders aren’t really interested in attacking such companies. However, this misbelief turns SMEs into perfect targets for attacks.
One of the best option to prepare for a cyber attack is to understand which methods do intruders use. The list below doesn’t include all the potential threats, however, it contains description of some most popular techniques, which business owners should be aware of.
1) APT (Advanced persistent threats) – targeted cyberattack
These are targeted cyber attacks, during which malicious actors hack corporate network in a few stages in order not to be detected. As soon as an intruder gains access to a network, he/she tries to remain unspotted and step by step increases gaps in the organization’s protection. If some vulnerability is detected and eliminated, intruders try something else and continue to affect the organization. Very often, hackers remain unnoticed for 200 days.
If we consider APT attacks on a specific company, it’s less likely to affect small businesses. This method is an expensive one and requires a lot of time, that’s why hackers use this technique only if it’s worth it. The typical victim in such case is banking organization. However, if the attack targets specific vulnerability, then SMEs turn out to be victims very often.
2) DDoS (distributed denial of service)
Such attacks overload a company’ server until it fails or totally stops to work. The most significant risk posed to businesses is that DDoS attacks turned into a very popular method for affecting market competitors. For instance, if you are planning a sale, let’s say, a Black Friday, a market competitor may initiate a DDoS attack on your server what will make it impossible for customers to purchase anything and will cause financial damage to your organization.
3) Malicious software
This is a general term which includes all programs which are distributed with the aim to harm organizations or gain unauthorized access. Malicious software includes viruses, warms, Trojans, ransomware and spyware. Malicious software is one of the most significant threat posed to SMEs. The boom of ransomware occurred in 2017, when the world faced the epidemics of WannaCry, NotPetya, and BadRabbit. In May 2017, 200,000 computers were affected by the first one alone.
4) Password cracking (brute-force)
Fraudsters can guess the password with the help of brute-force. It should be mentioned, that easy passwords can be cracked within a few seconds. Passwords can be obtained with the help of special programs (keyloggers), which log the inputted symbols after the software is deployed on the victim’s PC. The password can also be obtained by the malicious actors with the help of video surveillance systems, both hacked and publicly available ones.
However, most data leaks happen because users choose unreliable passwords. Let’s refer to the survey, conducted by NordPass experts. They analyzed leaked passwords, belonging to different managers and heads of organizations’ accounts. Despite the fact, that executives work with the most sensitive and valuable information, among the most popular passwords the following names, numbers, fantastic creatures and words were spotted:
- Tiffany
- Charlie
- Michael
- dragon
- monkey
- 123456
- 111111
- info
- qwerty
- password.
Obviously, it won’t take long to guess such passwords.
5) Phishing
When conducting a phishing attacks fraudsters steal data with the help of visibly legitimate, but, in fact, faked web sites. Links to such web sites are sent in emails or via messengers. Phishing attacks more and more often target organizations’ top managers. The reason is very simply – as executives are privileged users, with the help of their rights it’s possible to commit the most destructive crimes (for instance, a malicious actor can persuade a company’s accountant to transfer money to his/her account etc.)
This is often called Whaling. For instance, there is an infamous case, when Pathé had lost more than 19 million euros (US$21.5m) through a business email compromise (BEC) scam.
6) Attack with the help of SQL-injections
Structured Query Language (SQL) – standardized codes, which are used by developers may also be used by intruders. One of the most frequent scenario is when malicious actors input specific commands in a webform. For instance, instead of typing a login a hacker may input the «' UNION SELECT TOP 1 login FROM users» command. If the vulnerability isn’t patched on the web site, the web site won’t recheck this command. As a result the server will reply to this request and will share the data on the first user in the database. The hacker then will be able to continue his/her destructive activities.
Thanks to a successful SQL-attack on servers an intruder can obtain confidential information, change databases, upload/download files and even manipulate devices in the corporate network. For instance in 2014 Drupal released an urgent patch for the core of its CMS as all the websites build on this platform were vulnerable to SQL injection. In other words, any anonymous user could have intercepted the control over the website.
7) Zero-day attacks
When performing such attacks, hackers exploit vulnerabilities in OS or equipment’s firmware, which were detected by employees before software developers or security developers find out data about them. Such vulnerabilities can be exploited for months and even years.
8) Internal threats
In fact, internal threats represent a fundamentally different type of threats, as in this case violators aren’t hackers or fraudsters. Vice versa, in this case intruder(s) is(are) an employee or a group of employees who have access to the company’s data. They deliberately or accidentally affect their company. In particular, they help to commit attacks, described above. What’s more, employees may become deliberate or accidental culprits of leaks of personal data or other confidential data, crucial for the company.
This type of threats is the most dangerous one and the most difficult to be detected. Such threats pose the biggest risks to SMEs, as insiders affect businesses much more often than hackers do.
When, not in case
Before we will consider, how is it possible to respond to threats, it’s required to name the No1 rule for all SMEs:
A cyber threat will definitely occur. Sooner or later malicious actors will target your business, it’s just a matter of time.
Below you can find the list, which includes minimal required set of measures, which will help to protect the company.
1) In terms of IT infrastructure:
- Provide only key employees with access to confidential data.
- Use only encrypted data transmission channels (https, ftps, reliable VPNs).
- Regularly update all the software, deployed in the corporate infrastructure, avoid using outdated applications.
- Regularly make backups.
2) When working with employees:
- Enhance your employees’ information security literacy: reveal, what is phishing and which techniques do fraudsters implement; establish the obligatory requirement to use reliable passwords, demonstrate, how quickly a weak password may be guessed with the help of specific software; explain, why it’s crucial to log out of the system when leaving the work place.
- Deploy an advanced DLP system to ensure protection against insider attacks.
The endeavor to avoid extra expenditures is easy to understand. However, it’s important to understand that ensuring of appropriate level of corporate safety can’t be cheap, quite often it costs a fortune, and it’s important to put up with it. It’s of crucial importance to hire an onboard IS specialist or sign a contract with a MSSP, which will provide you with an outsource specialist; implement advanced protective software. However, as always, there is something that can be done about it – it’s always possible to optimize the expenditures.
IT outsourcing in general and IS outsourcing in particular are the best relatively cheap options for SMEs, which at the same time quickly provide customers with the results. If a company uses outsourcing services, there is no need to have an onboard team of information security officers and spend money on such experts’ training or retraining. In fact, quite often it’s not an easy task to find such experts. Thus, in terms of information security, outsourcing turns out to be a great way to save both resources and money, as well as to overcome a rapidly growing cybersecurity skill gap.
In terms of software, make choice in favor of more universal IT-solutions, this will help to significantly save on both purchase and maintenance. For instance, when choosing a DLP solution, make sure that it is capable not only of preventing data leaks, but also of encryption of flash drives, so they can only be opened on a corporate PC.
Let this list of threats and must-have solutions don’t make you feel like there is some dark and frightening online-world, and each its actor only wants to steal your data. However, all the threats are real and thus it’s important to be acknowledged and well-protected.
You can secure your business now using SearchInform's Managed Services. Book a free trial here and get a full security audit of your business for whole month.
