This year has been an important one in terms of cybersecurity, with a number of high profile media stories highlighting the issue. For example, we had the massive eBay data breach, and in May, the details of more than one million customers of Orange were stolen.
Back in February, we saw HM Revenue & Customs warning of tax rebate scams and more reports of fraudsters using online dating sites to ensnare victims. On a broader scale, we've now found out that Heartbleed, a "catastrophic" vulnerability at the heart of the internet, could have made personal information and passwords available to hackers for the past two years.
However, cybersecurity isn't just an issue affecting large organisations. According to research by the Department for Business Innovation and Skills (BIS), 64% of small businesses had a security breach in the last year. Our own research backs this up; of 400 small businesses (less than 50 employees) surveyed, 77% had been a victim of a cyber-attack in the last month, with one in five losing money as a result. Over a third of cybersecurity incidents were classed as serious – involving either the business' website being hacked, high levels of malicious spam or a loss of customer data.
It becomes more difficult for small businesses to cope with these attacks as they generally have fewer technical resources, time and funds compared to larger companies. As a result, many of the issues are resolved without the help of a security expert, which can lengthen the problem or make it worse.
Although small businesses may not always have the capabilities to deal with the risk of attacks, there are some basic steps to follow that will help protect them in the first instance. A simple one is keeping up to date with the latest news and current trends regarding cybersecurity risks. Checking specialist sites such as Knowthenet or Cyber Streetwise makes it a lot easier to spot possible attacks before they become too dangerous. Your IT software and systems need to stay up to date too – so whenever prompted, ensure you update your browser and security applications to reduce the risk of hackers being able to gain access through them.
E is for education
Educating staff is also vital. Everyone plays a part in the business and all employees should understand the value of being cyber aware, and the importance of reporting anything suspicious. Make sure they understand the risks of schemes such as BYOD (bring-your-own-device) and that they adhere to company policies. Employees might assume that threats to the business are only relevant to office-owned equipment – but if they use their personal smartphone to check emails or a tablet to log in to a web application, then new risks can emerge.
Staff also need to be aware of less obvious means of gaining access to IT systems. For example, it's becoming increasingly common for hackers to use social engineering tactics, such as a phone call pretending to be from a customer who asks for changes to be made to an account. Employees might not be so vigilant when it comes to cases like these, so it's important that they're made aware.
Small businesses are without doubt short on time and don't always have the expertise to implement all these steps, but ultimately, responsibility for dealing with cybersecurity threats comes down to all of us. For small businesses in particular, there hasn't traditionally been much help out there – but the industry is responding.
For example, at Nominet we're currently running a pilot for a potential service called Cyber Assist which aims to explore how to help smaller companies arm themselves with the knowledge, tools and expertise needed in the fight against cybercrime. Efforts like this, as well as a greater level of general awareness about cybercrime, should help us all to protect ourselves.
With companies becoming increasingly reliant on the internet for business, customer awareness and transactions, being cyber aware is now just part of being in business. How many businesses are confident that they've done enough?
- Simon McCalla is Chief Technology Officer at Nominet. He is a fellow of the British Computer Society, and has over 20 years' experience overseeing information technology for global enterprises across retail, entertainment and consultancy sectors.