By Nick Martindale Financial accounting and reporting How small businesses can protect themselves from data breaches 21 Nov 2018 Recent high-profile data breaches involving the likes of British Airways, Equifax and Facebook have highlighted the very real threat to businesses from cyber-attackers and other parties with designs on the data they hold. But a statistic from the government’s Cyber Security Breaches Survey 2018 might have more impact for smaller firms, with 43% of all businesses admitting they have suffered a data breach or cyber attack in the last 12 months. The threat to small businesses The threat is extremely real and affects businesses of all sizes, including small entities. “Historically, the fact that options for small and medium businesses (SMBs) have been few and far between, coupled with IT resource issues, has made them easy pickings for hackers,” says Arne Uppheim, director of SMB at Avast. “While there are more cybersecurity options available to SMBs today, many smaller companies have not changed their approach to security. “According to our research, 45% of small businesses will only conduct a full health check of their IT infrastructure after a cyber-attack has occurred,” she adds. “This needs to change; security cannot be an after-thought.” Technology protection Technology is helping businesses of all sizes reduce their chances of falling victim to a data breach, and of being able to withstand one should it occur. Uppheim stresses the need to go beyond traditional anti-virus measures by adopting a multiple-layered approach which also includes firewalls and intrusion-detection systems. “Firms should be updating their firmware and software on a regular basis too, and implementing proper usage access rights for their employees,” she says. Many of the major data breaches reported in the past two years were due to website breaches, platform or web application vulnerabilities, or misconfigured cloud services, says Pascal Geenens, Radware’s EMEA security evangelist. “The first two can be protected by web application firewalls,” he says. “Known vulnerabilities in widespread platforms – such as the ‘Struts’ vulnerability that was leveraged against Equifax – can be blocked through negative (blacklist) security policies while unknown vulnerabilities and custom applications are better served through positive (whitelist) security policies.” The final category can be prevented through cloud workload protection, he adds, using machine and deep learning techniques to spot anomalies in configuration and use of resources. Control access privileges Technology can also help ensure businesses control who has access to hardware and software. “Some common failings that small organisations can be guilty of include a failure to identify and manage all of their software or hardware assets, whether shadow cloud solutions or servers bought on credit cards, says Colin Marden, chief operating officer of iDENprotect, which provides technology that uses inbuilt security features on a mobile device, such as thumbprint or facial recognition, to give people secure access to corporate files and servers. “It may be easier if everyone has admin privileges on the system or if passwords are shared, but it also may facilitate fraud or information breaches. There is also often a failure to manage endpoints, which means staff accessing their email or systems from insecure personal devices.” Monitoring systems for any weaknesses is also vital, and increasingly technology is helping this to be automated rather than relying on humans, says Sean Keef, technical product marketing director at Skybox Security. “In 2017, there were more than 14,000 new common vulnerabilities and exposures published – more than double the amount of the previous year – and 2018 is on track to surpass even that record-breaking figure,” he points out. “Add to that other security weaknesses, such as misconfigurations and overly permissive access, determining how best to minimise risk is an insurmountable challenge if relying on manual means alone.” Find alternatives to sending information There are other measures small firms can take using technology to help reduce the risk or lessen the impact of any data breach. Natasha Kobrak, senior product manager, tax and accounting, at Wolters Kluwer UK, stresses the potential of collaboration platforms such as its CCH OneClick product as an alternative to sending documents or other information over email. “Documentation can only be exchanged between the relevant contacts associated with that account, doing away with any risk of human error when sending information via email,” she says. Fraser Kyne, chief technology officer at Bromium, highlights a trend towards virtualisation-based technologies, which focus on mitigating the impact of any attack rather than detection. “By opening each web page, document or email in a micro-virtual machine, even if a user does click on something bad, it has no impact on the business as it is isolated from the rest of the device or network – the hacker has nowhere to go and nothing to steal,” he says. “Effectively, it’s like having a stack of multiple disposable PCs so when you close the browser or document, the malware is thrown away as well.” Up to now, this kind of technology has been used largely by governments, the military and large enterprises but it’s now possible to install this level of security on any laptop. “Many businesses still don’t know about virtualisation in a security context but this is changing and soon we will see virtualisation being built in as standard,” he says. “For instance, the latest HP laptops now come with SureClick which uses Bromium’s virtualisation-based security to provide browser protection.” Preparing for the worst Small businesses also need to have robust plans in place so they can access data should an event take place. “This includes ensuring that data backup and recovery processes are followed so that critical data is saved should the worst happen,” says Florian Malecki, VP products at data management and protection firm StorageCraft. “In addition, many small businesses find that as they scale, the volume of data they send, receive and store grows exponentially, with existing storage systems unable to cope, becoming liable to crashes or failing backups, leaving systems vulnerable to attack as a result. If businesses fail to invest in scalable storage architecture or don’t work with managed service providers to scale as they grow, they are at risk of outgrowing their storage architecture, potentially leading to data loss and increased susceptibility to ransomware.” Being able to respond quickly to an incident is also vital, which means using technology to identify any attacks. “The goal of any organisation should be to reduce the ‘dwell time’ – the time from when the attack starts to when it is identified,” says Rashmi Knowles, field chief technology officer, EMEA, at RSA Security. “To meet this requirement organisations need to invest in monitoring technology such as Advanced SIEM (security incident and event management) to identify the attack as soon as it starts and improve response time after the attack is identified. SIEM platforms also offer behaviour monitoring solutions to combat the risk of insider threat.” Hackers exploit human error But technology alone is not sufficient to help protect from, and respond to, the increased threat of a data breach or cyber attack. “There are some great tools available to tackle the spread of cybercrime, but it’s also important to recognise the dangers associated with poor security practices at the employee level,” says Uppheim. “Humans make mistakes and hackers like to exploit human mistakes, so businesses should be discussing security best practices with their employees on a frequent basis. If employees know how to spot phishing links or an email with malicious intent, the company’s overall security posture will improve.” Perhaps the biggest danger of all for small firms is thinking that they are too small to be of interest to hackers or cyber-criminals. “Cyber-criminals very often target small businesses as they are rich pickings for personal and financial data,” warns Knowles. “They know that smaller companies have many vulnerabilities and open doors for the adversaries to compromise.” Nick Martindale is a freelance journalist, editor and copywriter. He regularly contributes to a wide range of national and business media, including The Telegraph, Raconteur supplements in The Times and HR magazine.