It’s fair to say that cybercrime is a threat to businesses of all sizes. But the reason a large percentage of small businesses suffer a data breach is that they make cybersecurity mistakes.
I’ll say this off the bat. This is not an article twisting your arm to invest in cybersecurity measures. We’re not here to promote scaremongering content.
Last week, we published an article titled Cybersecurity Solutions do not Have to be Expensive.” In the article, we discussed various ways in which you can defend your business network against the threat of cybercriminals without paying the hefty costs cybersecurity companies to charge for their services.
We must emphasise that it is important to implement effective defences to protect your network. Not only are you defending yourself against hackers that could steal money from your bank account, but you’re also defending yourself from government-issued data protection laws.
If the hackers don’t put you out of business, data protection laws will. For example, Article 33 of the UK’s (and EUs) General Data Protection Regulations states that businesses must inform stakeholders that could be affected by stolen data within 72 hours of a data breach.
This means that if you store data that is classed as “sensitive” and is stolen by hackers, you are obligated to let your customers know. An email address is classed as sensitive data.
Reports reveal that a data breach decimates customer confidence and damages a brand’s reputation. A Verizon study found that 69% of consumers would avoid a company that had suffered a data breach.
Cybersecurity best practices do not have to be complicated. The best place to start is knowing where threats exist and putting best practices in place that enable you to eliminate or significantly minimise the risk.
In the article, we’re going to highlight the most common cybersecurity mistakes we have identified in UK businesses.
Not Providing Cybersecurity Awareness Training
Employees that are not cybersecurity aware represent the biggest threat to your business continuity. Earlier this year, a report coming out of Stanford commissioned by Tessian reveals that 88% of data breaches are caused by human error.
Most of these errors, or “employee negligence,” is caused because employees are not aware of the cybersecurity threats. For example, whilst most people are aware of email phishing attacks, do you know how to spot a spoof email?
Or did you know that hackers are infiltrating Microsoft Teams to drop malware-infected documents into chats?
If you’re not aware of the various techniques deployed by hackers, there is a higher risk of you falling victim to the traps.
We recommend reading our article about the latest techniques hackers use to exploit business networks. Look out for more content like this in the future. It is our duty to keep you informed.
However, it is the responsibility of businesses to ensure their staff is educated about cyber threats. If employees are not aware of the dangers, the risk of a data breach is significantly increased regardless of the security software you’ve installed.
Awareness is a stronger defence than software.
Spoof phishing attacks are common threats that employees encounter on a regular basis. This is a ploy that is typically sent by email but could also arrive via SMS.
The technique involves a hacker pretending to be a trusted contact and encourages the recipient to click on a link or download a malware-infected document that will eventually give them access to your business data.
Because spoofing is designed to look as though it has come from a trusted source, they are more difficult to spot. And so far, anti-virus software is not doing a great job in identifying spoof emails despite obvious indicators that flag them up as suspicious – if you know what to look for.
Failing To Update Software with the Latest Security Patches
After educating your staff about the threats of cybercrime, your next priority should be to build a strong culture around business security. How easily this hits home will largely depend on the size of your business and the responsiveness of your employees.
Instilling the need to perform security updates is one of the grey areas that SMEs find difficult to police. Yet software vulnerabilities are one of the preferred methods used by hackers because they represent a potential source of access.
This is how it works.
Whenever software is programmed and released into the market, it usually contains flaws in the code. This is because software programs require complex codes to function and are often imperfect.
However, imperfect coding can be exploited by skilled hackers. Fortunately, there are not that many skilled hackers around looking to steal the data of SMEs. Most crack-hackers work for nation-states and large corporations.
However, the tools that general hackers use to infiltrate SME networks are available on the dark web. Cybercrime tool kits include technologies that can identify vulnerabilities in software such as productivity suites and the various apps used by SMEs.
To minimise the risk of hackers exploiting software flaws, manufacturers spend millions of dollars to identify gateways and patch them up. A security patch is nothing more than a correctly written code.
Security patches are subsequently released on security updates. Once the patch is released, it is the obligation of companies to update the software to activate the security patch. One of the biggest cybersecurity mistakes SMEs make is not installing patch management software.
If any of your employees fail to update the latest security patch and you suffer a data breach as a result, the company will be held accountable under the terms of GDPR. You will be obligated to inform the affected parties, which, as mentioned above, will probably result in a loss of customers.
Weak security rules are another or unsecured hardware and software that leaves your business network exposed to cybercriminals. For example, open ports and misconfigured services via online applications are among the most common causes of a data breach.
Threat actors use scanning technologies that are able to identify open ports which they can use to access your business network as an initial attack vector. If this happens, hackers increase their chances of stealing account credentials using various types of nefarious malware to take over an infected device.
Most gateways that open to attackers come through single devices such as smartphones, laptops and tablets. IT managers can minimise the risk of hackers accessing files that store sensitive data by setting access permissions.
Access permissions come in several forms. Firstly, there is identity authentication. This essentially uses software that identifies the individual trying to access a particular account. The most basic form of identity authentication is a username and password.
However, hackers can easily steal basic login credentials if they are successful in exploiting a device with malware using one of the methods described above. One of the most common cybersecurity mistakes is not enforcing protocols that reinforce security around logins.
A common option to reinforce login identity authentication is to use multi-factor authentication (MFA). You will already be aware of this if you use online banking or have an email account with tech companies such as Google or Microsoft.
MFA adds an extra layer of security by sending a code to a physical location. In theory, MFA establishes a person’s identity by sending a code to a mobile phone which will verify the person trying to access the account is in the physical location the system detects the access request is originating from.
Whilst MFA significantly reduces the risk of suffering a data breach, it’s not foolproof either. It has been reported that hackers utilise various techniques to intercept SMS messages that contain identification codes.
We, therefore, recommend adding another layer of security. This will involve setting access permissions on software, files, documents and drives. Staff should only be given access permission to data they need to access to perform their job.
Failing to Back Up Data
Backing up data won’t prevent a data breach, but it will protect you from losing all your data in the event of a ransomware attack. When you store data in the cloud, you can recover it from devices and accounts that have not been compromised.
If you’re not already aware of how ransomware attacks work, allow me to explain. It’s quite simple. A hacker take over your computer, locks you out of your account and will not let you back in until you pay a “ransom” fee.
Your data is literally held hostage. But if you have other ways of accessing the data, hacked cannot hold you to ransom. They will still steal your data – which they will probably do even if you paid the ransom – but you will at least save several thousand pounds or more.
Neglecting to Enforce Cybersecurity Policies
Every business is obligated to implement a cybersecurity policy. It’s in your best interests to adopt best business practices – which we describe in last week’s article titled, ‘Cybersecurity Solutions Don’t Have to be Expensive’.
Enforcing certain rules is necessary to reduce the risk of cybersecurity. Your employees may not like some of the rules, but this is where the importance of cybersecurity awareness training pays dividends.
A cybersecurity policy should restrict employees from performing certain actions that could leave your business network exposed to cybercriminals. Basic protocols should include setting strong passwords and intermittently upgrading login credentials.
Cybersecurity protocols should also restrict employees from accessing certain websites with the same devices they use to access business networks.
For example, do not allow employees to use personal devices to access their business email if they use that device to browse the internet or store apps on it. Cybersecurity mistakes occur in small businesses because employees compromise their personal devices.
The proliferation of content that is potentially infected with malware is at an all-time high. Microsoft recently activated a default security setting in Microsoft 365 that prevents users from downloading pdfs. You can also update settings that block emails from outside sources.
Companies that deploy a distributed workforce should also dissuade employees from accessing business data on unsecured public Wi-Fi. Hackers can exploit public Wi-Fi connections using several methods:
- Man-in-the-Middle (MITM) attack
- Session hijacking
- Acquire airborne information
- Creating fake Wi-Fi connections
It can be easy for a hacker to set up a fake network – the preferred man-in-the-middle attack, particularly as businesses prepare to switch to 5G. Hackers simply use the existing Wi-Fi connection and add 5G. Users that want the faster network will be persuaded to click on the fake 5G option.
The simple solution that prevents employees from using public Wi-Fi networks is to purchase an internet broadband package that can be installed on multiple devices.
Avoid Cybersecurity Mistakes
We appreciate cybersecurity can be disruptive, confusing and frustrating for business owners and IT professionals that do not have the relevant experience. We know it can be all these things because it can be confusing and frustrating for our experienced IT professionals in London as well.
The fact of the matter is that cybersecurity is a specialist area of IT that requires continual learning, planning and strategy. If your in-house IT team does not have the relevant experience in cybersecurity, there is a higher risk that you are making cybersecurity mistakes that could leave your business network exposed to threat actors.
If you’re unsure how secure your business network and protect your data, the best option is to work with IT support professionals in London that provide proven cybersecurity strategies. Our experts will ensure you avoid any cybersecurity mistakes.
Teaming up with our cybersecurity experts will not only protect your sensitive data from being stolen. We can ensure your employees are properly informed of potential threats and keep you up-to-date when new threats emerge. Our keen-eyed professionals always keep up-to-date with the latest news.
Furthermore, we prepare you with a customised IT package so that you only pay for the service you need. This means you avoid paying for services you either don’t need or that you don’t use.
If you want to know more about how our team of specialists can help support your business, contact us today and speak to one of our knowledgeable experts.