The recent streak of high-profile ransomware attacks might have given small and medium enterprises (SMEs) a false sense of security. It certainly looks like enterprise ransomware gangs such as DarkSide and REvil have bigger fish to fry, with operations that continue to grow in scale and scope, says Dearbhail Kirwan, Security Analyst at cyber firm Edgescan.
However, SMEs should not make the mistake of underestimating how valuable their data could be to a determined attacker. The democratisation of malware services – now available to purchase on the dark web – and the rise of supply chain attacks mean that there is no target too small for a determined attacker looking to gain a foothold into a larger net of potential victims.
For this reason, SMEs should continue to enforce security best practices. The following five points might serve as a useful checklist of the aspects that need to be taken into consideration, both before and after the unfortunate event of a security incident.
Phishing emails
Phishing emails target what is often considered to be the weakest link in the security chain, users, and remain the most common cause of cyber security data breaches.
Never open attachments that you are not expecting to receive, or click on links from unknown senders. Most importantly, make sure that staff are trained in identifying and dealing with phishing emails, and that they know who they need to contact should they spot a suspicious message.
Spear phishing and CEO phishing – where an attacker creates a tailor-made email that looks like it’s coming from within the organisation – are much harder to spot, and that staff may be more likely to fall victim to these targeted scams. For this reason, SMEs should ensure that training covers not only the spam phishing approach, but also more complex approaches such as these.
Password security
Passwords need to be strong to be effective. Implement password policies that enforce the changing of passwords at least every six months, and require a considerable level of complexity, such as including upper-case and lower-case letters, numbers and symbols and requiring a minimum length such as 10 characters. Ensure that your staff are aware that the passwords should never be shared, even with other staff members, and that the same password should never be used across multiple different systems.
Data confidentiality
Data breaches are often caused by the leakage of confidential information by staff members. This can be accidental, but also intentional, such as a data stolen and leaked by disgruntled or ex-employees.
To help avoid accidental leakage, ensure that staff training covers awareness of the confidentiality of the data and the requirements around such confidentiality. Limit access to sensitive data to only those who need access. Additionally, when a staff member leaves the company, ensure that their access to sensitive data is removed.
Protection
Do not leave any of your systems unprotected, regardless of their criticality. An inadequately protected system could potentially provide an attacker with an entry route to the entire network.
Anti-virus and anti-malware should be installed, in addition to the use of protection such as firewalls to both prevent unauthorised access to the network, and to limit the access an attacker may have in the event of a breach.
Know your posture
Regular tests and audits allow you to check and ensure that your systems are secure. By checking if you are vulnerable in any way, you can identify weak spots in your organisation and secure them, enhancing your security posture and reducing the risk of a data breach. Due to constant development cycles and the continual discovery of new vulnerabilities, it is important to regularly repeat these assessments.
ISO 27001 is the international standard that describes best practice for an information security management system (ISMS). An ISMS is a system of processes, documents, technology, and people that manages information risks, such as cyber-attacks, data leaks or theft.
Surviving
Under the GDPR (General Data Protection Regulation), organisations must disclose certain types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. Failure to do so could result in fines up to 10 million euros or 2pc of the organisation’s annual global turnover, whichever is greater.
Pre-emptive
Proper preparation for the event of a data breach ensures that, should one occur, it is simply a matter of following a defined set of processes. In order to be prepared for this eventuality you should ensure you have robust breach detection, investigation and internal reporting procedures in place.
Depending on the size and nature of data protection processes in an organisation, it may be required to appoint a Data Protection Officer (DPO). It is best practice to appoint a DPO even if it is not a strict requirement for your organisation. A DPO’s responsibilities include educating employees on compliance requirements and training staff who are involved in data processing and conducting audits. In the event of a data breach disclosure, the DPO acts as a point of contact between management and staff, and between the organisation and its supervisory authority.
Post-breach identification
Determine if the breach needs to be reported to the relevant supervisory authority under GDPR. You must keep a record of any personal data breaches, regardless of whether you are required to notify. If the breach is likely to adversely affect individuals’ rights and freedoms, you must also inform those individuals. Procedures drawn up in breach preparedness should be carried out and documented.
If notification of the relevant supervisory authority is necessary, a detailed report must be compiled, including information relating to the organisation, the nature, cause and discovery of the breach, the quantity and type of data affected, the impact to the organisation, and preventative measure and actions that have been or will be undertaken.
