Being aware of the nature of cyberattacks and cyber threats and their potential sources are just the first steps in protecting your business from them. It is critically important to understand your potential vulnerabilities. After all, the strongest and best protected front door is of little use if the back door is left open and unattended.
The most common vulnerabilities of which SMEs should be aware include:
This is possibly the greatest single vulnerability for SMEs when it comes to cyber threats. Individual employees can be targeted with phishing or spoof emails carrying malware payloads in their attachments and can unwittingly become accomplices to the cybercriminals. Standard antivirus and spyware software doesn’t necessarily offer full protection due to the rapidity with which new viruses and malware are being developed and released onto the net.
2. Social media
Firms of all sizes are successfully using social media for customer engagement and marketing campaigns. It has the advantages of being relatively cheap and reasonably measurable when in terms of its effectiveness.
Large organisations have quite sophisticated social media strategies which not only govern the use of the channel within the workplace but also ensure that pages and feeds are hosted completely separately from their internal systems.
This is generally not the case for smaller firms, however, and this opens up a host of vulnerabilities including the use by hackers of social media pages to gain access to networks. Staff members sharing inappropriate information or confidential data on social media also presents problems.
3. Internet of Things
The sheer volume of seemingly innocent devices which have now become cheaply available are proving to be a major security threat to SMEs. Security cameras, heating and lighting controls, intercom systems – all are now internet enabled and available off-the-shelf at low prices from hardware and electrical stores.
There have been a number of reported instances of companies installing a WiFi enabled security camera to improve security but then finding that hackers used the cameras to break into their networks.
4. Removable media
While cloud computing and readily available file sharing services may have reduced demand for removable media such as USB sticks and portable drives they are still very much in use. These devices can be easily lost or stolen and, if connected to the wrong device, compromised with malware.
5. Portable devices
Almost everyone has heard stories of stolen laptops involving celebrities such as Bono or UK civil servants. In the former case an almost complete new U2 album was on the laptop and it was returned by a well-wisher. In the latter case, the laptop contained sensitive personal data belonging to millions of UK citizens and no one yet knows what malicious use this data was put to.
Once a device leaves the workplace it represents a significant vulnerability. The same applies to company smartphones and tablets.
6. Company phone apps
While smartphones and tablets can be secured to protect the data stored on them and prevent them being used as tunnels into the firm’s network this only deals with part of the issue.
Smartphone users routinely download apps which demand data sharing permissions and these apps effectively create a backdoor to the data stored on the phone and to the firm’s email server and network.
7. The cloud
The cloud is a relatively new phenomenon but is now so widely used that it is taken for granted by many firms and individuals. In a very short time it has transformed the way almost everyone thinks about computing and data storage. It is hard to find anyone who doesn’t make some use of cloud storage solutions like Google Drive or Microsoft OneDrive while the ubiquity of accounting software solutions like Big Red Cloud have brought the power of cloud computing to bear for organisations of all sizes.
We don’t have to worry about the capacity of hard drives or servers any more, we can just order up extra cloud space for a few cents a month. And installing complex software and keeping it updated has become a thing of the past due to the software as a service (SaaS) model enabled by cloud computing.
But it can bring security issues as well. In the first instance it should be noted that there are actually two clouds to consider – the personal cloud and the company cloud. The personal cloud is the one that your employees are using on their smartphones, laptops and other devices. The problem there is what happens if they are routinely saving company files onto their personal cloud storage to enable remote or home working and their device is subsequently hacked? The consequences for sensitive company data could be very serious indeed.
There are also issues with the company cloud. Cloud computing SaaS offerings are usually secure and trustworthy. Indeed, Big Red Cloud could not survive without investing heavily in premium level security. The issues arise in relation to data storage.
Very large organisations tend to own and control their own cloud solutions and the next level below this is an expensive managed solution. But for most SMEs the cloud storage is a commodity service which is purchased according to price. The problem is that while the reseller you are dealing with may be based here in Ireland you really don’t have any idea where in the world your data is being stored and what security standards are employed. This not only creates vulnerabilities in terms of hacking but also in relation to catastrophic data loss. A fire in a datacentre somewhere in South-East Asia could result in a business losing much of its most important data.
8. Virtualised networks
This was and still is heralded as a breakthrough technology for small and larger organisations alike. A virtualised network uses software to combine various resources on a network to act as a single server or processing entity. This means that resources and capacity are used far more efficiently overall but it does have security implications as it is not readily visible where individual pieces of data are being stored.
Bring your own device (BYOD) was something of a buzz-word in the ICT sector a few years ago. It was a policy for large organisations and a reality for smaller ones. The concept was very alluring. By allowing employees bring their own devices to work and use them on the network companies would save in hardware costs and other overheads. Watching people sitting at meetings using their own iPads to share information and collaborate must have been very pleasing to the eye of financial controllers everywhere.
But, more recently, this seemingly liberating and wonderfully cost reducing concept has been relabelled “bring your own disaster” by some wags in the cybersecurity sector. Some are even using the analogy of hospital acquired infections in relation to it. People are bringing devices to work which could be riddled with malware and are infecting the network and their colleagues’ devices with them. They are also creating potential backdoors to the network for the cyber criminals to exploit.
10. Wearable devices
Allowing employees to connect their smartwatches and other wearable devices to the company network carries the same risks as BYOD. The simple answer is to prevent this but there is an increasing number of wearable productivity devices coming onto the market that companies will have to contend with.
This is by no means an exhaustive list of all the cyber vulnerabilities and cyber threats which organisations need to be aware of, it merely outlines the ones which SMEs should pay most attention to. Every firm should look at their own operations and how they do business to assess whether these vulnerabilities apply to them or whether they need to take others into consideration.
If you’re still unsure about the scale or number of cyber threats out there, then take a few minutes to read our Cybersecurity Report 2016. It will serve as a great jumping off point for you and your business colleagues to understand the cyber threat landscape and will also provide you with the information so as to take the next and absolutely critical step – review your IT set-up ASAP.