For many small-to-medium-sized businesses in the UK, 2020/21 has been a time of upheaval and transition. The adoption of digital technologies has been essential. It was a case of digital or die.
However, the rapid transition has left numerous businesses without an IT security strategy. And that could be a major problem. Understandably, there are squeaky bums in C-suites and IT departments up and down the country – especially with the increasing number of high-profile data breaches and the confusion around data protection laws.
The latest high-profile data breach was GoDaddy – the leading domain register in the world. Hackers reportedly got access to over 1.2 emails, the original admin passwords and SSL keys.
Data breaches like these expose GoDaddy customers to a heightened risk of spearphishing attempts. We have covered spearphishing in a previous post.
Whenever a major corporation is hacked, online criminals go after SMEs next. Whilst the payday for a ransomware attack won’t be such a windfall, SMEs are an easier target because they are less likely to have appropriate cyber defences in place.
Cybersecurity then becomes a critical issue for businesses of all sizes. And the more sophisticated cybercriminals become, the more important it is for SMEs to replace outdated IT security strategies.
It’s been reported that one in five small businesses suffer a data breach. Sixty per cent of them go out of business within six months. To ensure business continuity, SMEs cannot afford to ignore IT security.
What Constitutes A Data Breach?
Data protection legislation introduced in Europe and the UK in 2018 – General Data Protection Regulations – sets out the conditions of a data breach.
Article 5(1) states that data must be: ‘Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Information Commissioner’s Office (ICO), the governing authority established to ensure companies are compliant adds:
“A key principle of the UK GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.”
However, the authorities do not provide guidelines that stipulate what the ‘security principle’ actually is. What we can say is that ‘appropriate security’ involves implementing an IT security strategy that is capable of preventing a data breach.
An IT security strategy will clearly look different from one business to the next. SMEs cannot be expected to install the same cybersecurity defences as a bank, for example.
First of all the parameters are different. Secondly, firms should only be realistically expected to install security defences that are appropriate for their disposable budget.
We expect that an IT strategy that is ‘appropriate security’ for an SME’s budget minimises the risk of a data breach and should not be subject to GDPR penalties.
Penalties are handed out at the discretion of the ICO – and it’s anybody’s guess what they will decide. In their Regulatory Action Policy, the ICO has said they will take a “selective approach to the action we take”.
Realistically it would be unjust for the ICO to hand out penalties to SMEs that have done everything in their power to prevent a data breach within the confines of their budget.
However, even if you escape financial punishment, your profits can be damaged another way.
UK GDPR states businesses have a duty to report data breaches to individuals that could be affected within 72 hours. This basically means that if a clients name and email have been stolen, it could be used for ID fraud. Therefore, you have an obligation to inform the individual(s).
In other words, assume that practically every data breach will need to be reported to affected parties.
What are the types of Data Breaches?
GDPR describes several types of data breaches which are categorised as follows:
Confidentiality breach – unauthorised disclosure or access of personal data
Integrity breach – unauthorised, accidental or illegal alteration of personal data
Availability breach – loss of personal data
Leading cybersecurity firm, Kaspersky explains that a data breach can occur by any of the following methods:
Accidental insider: data that is accessed unintentionally by an unauthorised person. This can be avoided by setting permissions.
Malicious insider: a disgruntled employee or “corporate spy” intentionally accesses or shares data with the intention of using the data by nefarious means (ID theft, selling to a third party, revealing trade secrets).
Lost or stolen devices: any devices that stores personal data or can be used to access sensitive data goes missing
Malicious actors outside the firm: we’re essentially talking about hackers here, cybercriminals that break into a business network or software app by means of malware, phishing or brute force attacks.
Shared Responsibility for Cloud Security
Cloud security is a shared responsibility between the club provider and their client. The share of responsibility is determined by the type of cloud storage you use and the nature of the cloud service provided.
To keep it simple, cloud providers are responsible for the security of their cloud network (i.e Microsoft Azure) and end-users – businesses – are responsible for the security of the broader business network.
There are three types of cloud strategy:
The most common type of cloud service is the public cloud offered by the likes of Microsoft (Azure), Amazon (AWS) and Google (Cloud Platform). Because the cloud vendor owns the infrastructure they owe a duty of care to their customers to protect vulnerable cloud gateways from being infiltrated.
They do this by issuing regular security updates – known as patches. However, once the cloud provider issues a patch, it is the responsibility of business owners using the service to ensure their network is updated with the latest security patch immediately.
SaaS (Software as a Service):
Less common as a security measure, but still widely used among small businesses is SaaS (Shopify, WordPress, Trello, Zendesk). Again the SaaS company is responsible for ensuring there are no vulnerabilities that can be exploited in their software.
From the user end, it is your responsibility to prevent unauthorised access from the frontline by deploying strategies such as downloading the latest software updates, setting permissions correctly, using strong passwords and updating passwords regularly.
It should be noted that relying on SaaS as a security defence in its own right will probably not suffice as ‘appropriate security’. At best, SaaS is a layer of security, not the entire defensive package.
Private clouds are owned solely by the individual business – which makes the exclusivity expensive because there are no shared costs. That also means that a business is responsible for the entire security protocols of their network because it is hosted on the organisation own data centre and doe not involve a third party.
As UK companies transition from onsite servers to public clouds – often in conjunction with SaaS applications, they become more reliant on third parties to protect data on their company.
That does not mean that if a SaaS company is hacked malicious actors will have access to your data. In actual fact, that’s unlikely because data in the cloud is encrypted so would appear gibberish.
However, cybercriminals would get access to the names and email addresses of the person in your organisation that registered for the service. Consequently, they could become the target of spearphishing attacks.
An IT support provider that delivers a range of security services – like Micro Pro – can also help you to manage your part of the responsibility. For example, patch management services ensure that every device on your network is updated in a timely manner.
IT Security Strategies
There isn’t a blanket strategy that will satisfy the cybersecurity demands for every business. However, the ICO does have a set of rules that determines the level of resilience a business should be expected to have.
Whilst every IT security strategy will be customised to some degree, there are specific steps that should be taken by every company. We have outlined them below.
Before we get into the nitty-gritty, it’s worth pointing out that an IT security strategy should be proactive and reactive. Proactive strategies include implementing defences that prevent breaches and reactive details the actions that should be taken if your defences are exploited.
Install Anti-Virus Technology
Anti-virus software is one of the most essential tools in any IT security strategy. They are able to detect vicious code is associated with tools used by cybercriminals such as spyware, ransomware, phishing attacks etc).
The software should be downloaded onto every device that accesses your business network or wireless network where they run in the background waiting to prevent the system from becoming infected.
If a threat is detected, anti-virus technology isolates the threat and puts it in quarantine – a safe storage unit where you can check to see if the code is malicious with putting your system at risk. If you are confident the file is not a virus you can release it back into the system. Otherwise, delete it immediately.
Training and Awareness on Data Protection Issues
It is believed that over 90% of data breaches are caused by human error. Oftentimes, an employing is caught out by clicking on a malicious link or downloading a file embedded with malicious code.
Providing cybersecurity training to raise awareness is more important now than ever – especially for firms that deploy a distributed workforce or allow employees to access your business network on personal devices.
Your staff needs to know how to identify potential cyberattacks and also what to do if they receive a suspicious email. Most attempted cyber-attacks come via email – known as phishing.
Phishing attacks are becoming more difficult to spot. Would-be hackers are designing spam emails that appear to have originated from an established business such as Microsoft, Apple, a bank, a department store and even government agencies.
If your employees are affiliated with any of these known entities they may unwittingly click on a link. However, if your staff is aware of cybersecurity threats, they will follow safety procedures to ensure they know links are safe to click and attachments are safe to open.
Employees should also be encouraged to use strong passwords and update them each month. Two-way authentication is another defensive layer we recommend adding to your IT security strategy.
Endpoints related to any device that is authorised to access your network – desktop computers, laptops, mobile phones, tablets etc. Your business network is also an endpoint.
Firewalls prevent unauthorised devices from accessing your network or your wi-fi/internet. Businesses with a remote workforce will also need to erect firewalls on the home wi-fi networks of any employee that is authorised to access your business network from a remote location.
In addition, activate the encryption option for every piece of software so that passwords are required for access. Also, purchase separate accounts for each of your employees.
Software that is released into the marketplace will eventually become outdated and vulnerable to cyber-attacks. To prevent vulnerabilities from being exploited, software companies issue security patches that should be updated onto user devices.
Whilst this is an essential piece of the cybersecurity conundrum, software updates can be out of the control of your IT team. If so, you are relying on employees to update the software on their personal devices. Can you trust all your employees to update their software?
The best way to avoid any mishaps is to adopt patch management services offered by IT support providers. Patches can be fixed automatically from remote areas as soon as software companies release the latest version of their app.
Internal Reporting and Investigation
The ICO says that businesses should have an ‘investigation and internal reporting procedure in place’ detailing what actions should be taken in the event of:
- the detection of a potential cyberattack
- A data breach
The report should facilitate decision-making and address how you will assess, identify and modify your IT security strategy moving forward.
Internal reporting should include a risk assessment that should be assessed periodically and updated appropriately. The risk assessment shows that ICO that your business has an ongoing commitment to protect personal data.
Managed IT Security Strategy
Teaming up with IT support services can prove to be a major benefit to SMEs that don’t have the time, resources, knowledge or skill set to implement an appropriate IT security strategy.
Our team of experts has years of experience planning, implementing and managing IT security strategies – for onsite servers and cloud solutions. We use the latest technologies, keep up-to-date with the latest hacking techniques and provide a first-class service to ensure your security defences are as tight as they can be.
If you want to know more about how our team of specialists can help support your business, contact us today and speak to one of our knowledgeable experts.