Cybersecurity, risk assessments, and GDPR
You might think that cybersecurity is something that large enterprises and nation-states need to worry about, but the small and medium-sized business sector is just as at risk from cyber attacks as any other business, NGO, or governmental organization.
As an SME you’ll be aware of GDPR and the responsibilities that come along with it. Part of the requirements for GDPR compliance include a risk assessment and for every business to take the necessary steps to keep personal information safe and secure.
The language that you use as an SME owner is different from how the director of a large enterprise might speak. Your computer system might be referred to as critical infrastructure or systems network.
Whatever the differences, the security risk to all businesses from cyber attacks is rising, and unlikely to ease anytime soon.
If you receive suspicious messages, you can report them to the National Cyber Security Centre
Cybersecurity Risks the SME sector must consider
This encompasses many of the more common attacks, including viruses, trojans, worms, ransomware, and spyware. All of them seek to enter a computer system to usually do one or more of three things: deny access to parts of the network, steal information from hard drives, and disrupt a system so that it cannot be operated.
These are extremely common, and most people will have seen them. This is where fraudulent emails or messages are sent from a supposedly reliable source. Amongst the more common are fake emails from banks asking for login details, or messages from Royal Mail or couriers asking for money to make a missed delivery.
Man in the Middle
This is where an attacker takes advantage of vulnerabilities in a network- like a public network- to position themselves between a visitor and the network and intercept traffic. It’s very difficult to detect, and the user thinks that they are sending sensitive information to their intended source.
Denial of Service(DoS) Attacks
These work by overwhelming a system by flooding it with traffic that overloads resources and bandwidth. This means that the systems are unable to respond to requests for service. These attacks can be launched externally, or from infected machines within the network. This is known as a Distributed Denial of Service Attack (DDoS)
An attacker will insert malicious code into a server using Server Query Language(SQL), which forces the server to deliver protected information. Website comments or search boxes are particularly sensitive to this kind of attack.
Zero Day Exploit
Zero Day Exploit attacks are often reported in the news. This is where a new or recently announced update to a system has been announced, and before a patch or upgrade can plug the gap. Attackers will constantly monitor systems for such vulnerabilities, so this is very much a proactive approach to cyber threats.
There are very many versions of this type of cyber attack, from brute force attacks to gaining access to password databases. We’ve all read about these in the news, particularly when banks are successfully attacked.
The attacker will send a scam email injected with code to their victim. The victim visits the genuine website which activates the code, sending private data like login details to the attacker. The attacker can then access the genuine user account- often a bank or online shop where personal information or bank details can be stolen.
These are found inside legitimate software, usually through email attachments or downloaded from insecure websites. Once installed, the software is activated by an action or by the attacker, and personal information, keys, and passwords can then be stolen.
Internet of Things(IoT) Attacks
There are billions of devices connected to the internet, from computers and servers to central heating controls, phones, and even light bulbs. All of these devices are vulnerable, and most are not prioritized in the same way from a security standpoint as critical infrastructure or computer systems.
In the face of so many potential cyber threats, it might seem like there isn’t much chance of avoiding attack, but there are steps that you can take to mitigate, if not remove the risk to your business.
There may be a cost to some elements, but consider the impact on your balance sheet if your information security is compromised, or worse, breached and you suffer a significant data theft.
Even the smallest business keeps information that falls under data protection laws. That might be for a member of staff, a client database, or bank details in your accounting system. Payments software that might collect direct debits, or a larger customer database if your business is consumer-facing.
Step 1: Cybersecurity Risk Assessment
First of all, it’s important to understand the risk to your business. Conducting a risk assessment will help you to understand your systems and their weaknesses and the threats to them. You will understand the level of personal data that you are managing, and whether you need to appoint a controller and processor according to GDPR.
And with risk assessments completed, you will have the information that you need to make informed choices about the level of risk to your business, and the changes that you will need to make.
Step 2: Putting Systems and Security in Place
Securing your business from attack isn’t simply about spending money on expensive software, It’s about systems and processes as well. Many of the types of attacks that we’ve mentioned rely on people doing things like opening malicious emails or messages. These attacks simply go around antivirus and security software, and by the time anyone realizes, the damage is done. So considering your working practices is just as important.
For example, do staff use their own devices (even if they shouldn’t), do you have a work-from-home policy, and how have you secured it? Can company devices like laptops access insecure networks, or are they prevented from doing so? How do you manage software and hardware updates? Of course, there is an element of cost in terms of keeping software up to date and replacing hardware regularly so that it is not vulnerable simply because of its age.
Step 3: Training, Accountability, and Review
Regular training and updates on cybersecurity with your team will embed what is required of them to keep your business safe and help them to understand how important it is to follow the processes in your organization. It also allows for accountability, so that everyone is motivated to stick to good practice. You’re then in a strong position to manage expectations so that your hardware is used for its intended purpose, reducing risk, and identifying training needs going forward.
Periodic review keeps you up to date and allows you to take into account new staff, updates to software and systems, and changes to your business operations. So your cybersecurity becomes a proactive part of your operations.