Small Business Security Basics
Problem in Chair Not in Computer
SME Security is No Picnic: There are many issues that organisations can encounter when dealing with information security; from lost files and credential sharing, to protecting intellectual property and fending off outsider attacks. As anyone working with technology knows, more often than not, these issues stem not from the technology, but instead the user.
Hence, the acronym: P.I.C.N.I.C. Not an uncommon codeword within tech support circles, problem in chair, not in computer is understood to be a trouble particularly relevant to information security.
With 34% of all breaches involving internal actors, it’s estimated that of these breaches are contributed to via careless or negligent behaviour by employees. As we can see, though many human errors can be innocuous, under-trained and error prone staff regularly cost a business funds, intellectual property and often, their reputation.
Given that the cost of data breaches grows year on year, and that human error is often the culprit behind these information security issues, we must ask ourselves: what are a SME’s weak spots, and what can be done to address these threats?
No matter the size of your business, multinational or SME, phishing is invariably going to be one of the methods of attack that will threaten your organisation. Though the click-rate for phishing emails has dropped significantly, it still remains somewhere around 3%.
Considering that all it takes is one point of failure to compromise an entire network, organisations cannot afford to put their viability at risk by ignoring the threat of human error and phishing emails.
Unfortunately for SMEs, the sophistication of these attacks has mirrored the incredulity of uses. The days of the blatant scams and Nigerian princes are largely behind us and phishing attacks can now not only be very convincingly designed, but also highly targeted.
Keeping up to date with the latest phishing trends and techniques is essential for developing and maintaining a secure culture. By enabling teams to recognise which signs to look for, and which to be suspicious of, you can help minimise the chances of losing credentials, controlled access and intellectual property.
Though a successful phishing attack can count as an element of ‘insider-threat’, this information security threat also covers the expanse of all actions performed by insiders that threaten the wellbeing of an organisation.
There’s a great deal that can be technologically implemented to help minimise the opportunity of employees to exfiltrate, compromise or steal, such as access controls, data minimisation and stringent security policies, but what about P.I.C.N.I.C?
It’s an uncomfortable truth that businesses must face; but 23% of insider attacks are malicious in nature. More complicated to address than mere accidents, management and employees alike must be vigilant and attuned to the signs that precede a malicious insider attack.
Often, members of staff may not be able to identify suspicious behaviour, or even understand the procedures that must be followed when they do. Once again, when faced with the possibility of losing intellectual property, SMEs within any sector should consider implementing training to increase employee awareness of how to defend against this form of attack.
Perhaps basic, but password security can often be an overlooked essential. Related to both phishing and insider threat, the confidentiality of login credentials is critical to the integrity of an SMEs information security.
Creating a strong password
When creating a password, best practices dictate that a random combination of four words produce a difficult to crack and, most importantly, memorable password. Although password generators are also very useful, this method allows users to create passwords that would take any would-be hackers many years to match a hash to.
Passwords should also be novel for sensitive accounts, and any password reuse should be discouraged. In the eventuality that one account is compromised through a breach, then it’s only the one password that is rendered insecure.
Somewhat contradictory to purpose, password sharing can in some workplaces be surprisingly common. Without this basic identifier of who is connecting to your networks, a business can leave themselves open to exploitation. Therefore, a single-user policy should be understood and adhered to by all members of staff.
Common to all these points for improvement is the constant issue of human error, and though this persistent issue is often difficult to avoid, by creating a secure culture mindset any organisation is capable of reducing their information security vulnerability.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
How Does the Data Protection Act Affect Businesses? Rights, Obligations and Important Concepts. Blog by Hut Six Security.
Google Warning Over Huawei Devices: Huawei concerns continue. - blog by Information Security Awareness Training provider Hut Six Security
How Much Compensation for Breach of Data Protection Act? Your Data Rights and Right to Compensation. Blog by Hut Six Security.
Phishing is a number one cyber threat, and awareness training is required to ensure all employees realise it's a business-critical matter.
What does phishing mean in computer terms? The understanding of this term is at the core of Information Security awareness. Blog by Hut Six Security.
Protecting data on your computer in 5 steps: Password Protection, VPNs, Anti-virus, Software Updates and Security Awareness.
Knowing How to Block Phishing Texts is vital to personal information security in the 21st century. Blog by Hut Six Security.
How do Information Security Attacks threaten the UK Education Sector? Blog by information security awareness training provider Hut Six Security.
There remains concerns about the overall security of storing and processing information in the cloud. Is Information Stored in the Cloud Secure?
The Biggest Data Breaches and Hacks of 2019: As a new year begins, it's time to begin reflecting on what has been observed. Blog by Hut Six