Small to medium sized businesses (SME’s) in the UK have traditionally asked…
‘Why would anyone want hack us?’
…and in effect they used to have a point; but the rise of cloud based infrastructure, personal mobiles / tablets as business tools (BYOD) & the social media / marketing culture has blurred the lines of traditional corporate IT security, meaning that every company is now very reachable & in the line of fire..
It’s now likely that all companies will be affected by a wider hacking event or internal theft based security incident at some point. So if your business does not have a robust information security management system in place backed up by clearly defined policies, you are effectively gambling with your future.
Here we summarise a few of the growing trends of threats to SMEs.
‘The Insider Threat’
In today’s harsh economic world, it is a fact of life that companies are typically looking at downsizing their workforces rather than growing.
This is often felt on the ‘shop floor’ where employees are looking over their shoulders, planning their next move… & downloading your corporate client data to use at their next employer. This happens… A lot… Why make it easy by allowing unrestricted access by mobile devices whilst at home? A Mobile Usage Policy is essential.
We spoke to a London based advertising company in Jan’13, who had made their IT Manager redundant in November, but returned from Christmas to find he had been able to log in remotely & delete crucial client information over the festive period. Devastating results, but very avoidable by having risk management policies in place. (eg, ISO27001 compliance).
The Rise & Rise of Mobile Malware.
Smartphones are rapidly overtaking the humble PC as the prime target of professional hackers, especially via malicious malware. (Not surprising considering the extent of personal & corporate data on our phones, plus the direct link to your money through your monthly tariff).
Malware is downloaded innocently, as easily as simply clicking on a malicious website link or by downloading a disguised App. Due to the small size of the screen it is more difficult to spot ‘rogue’ links than on a PC, and through exposure to twitter / social media we now are more likely to trust links with abbreviated lettering, or those suggested by ‘brands, followers or friends.’
Once malware gives remote access to the phone the hacker has some element of control, which can lead to a variety of techniques to extract profit from your mobile account (such as generating undetectable calls to offshore numbers at huge rates).
From a business standpoint, they will immediately have access to corporate emails & data if there are no firewalls, encryption or Mobile Usage Policy in force, placing the corporate infrastructure at risk of infection, impaired service & even corporate data loss.
Detica & Vodafone’s announcement to work together in 2013 was based on the fact that mobile devices will be in the frontline of future cyber security & corporate data protection. Apple also admitted for the first time in the same year that mobile devices in their Cupertino HQ had been hacked, so no one is safe!
Cloud Computing Can Go Wrong!
Cloud based IT solutions whilst cost effective & enabling, do raise immediate issues for SME’s around the protection of data security. Moving some or all of sensitive corporate data into the cloud may render incumbent security policies ineffective, plus SLA’s with cloud providers are often not scrutinized deeply enough to meet existing security & regulatory obligations – leaving your business vulnerable.
Again, cyber criminals raise their head in this area with cloud providers becoming a targeted sector for increasingly sophisticated criminal activity. If under investigation, cloud service providers have been forced to legally restrict or suspended customer access. Could your business cope without internet access to your cloud based infrastructure?
More topically, what is the impact if the Cloud Supplier goes bust?? As we saw happen so quickly in Feb’13 to the UK group of cloud provider 2e2 – this can leave access to your company data up in the air (no pun intended!), incurring additional costs to retrieve. Have you completed a impact risk assessment to establish an adequate business continuity plan in case of loss of service? If not – you should, or your could lose your customers in a single incident.
Whilst larger corporations have the resources to address these increased risks, we understand that most small & medium sized business do not employ a dedicated Chief Information Security Officer (CISO), or have the expertise or time to deal with a quickly changing threat landscape.
Assured can provide this level of business confidence. We work with SMEs on a cost effective basis to ensure that scoped, relevant information assurance, data security & regulatory compliance policies are in place to protect our clients’ reputation & increase revenue in the long term.
All of these issues are relatively easy to protect against in advance, at much less investment than the cost you would incur through the damage to your business reputation & loss of service if you have not taken steps to mitigate these real risks.
Call Assured today if you would like to discuss these issues & potentially arrange an Initial Security Review of your business.