It is commonly misunderstood that hacking only happens to large businesses, and given recent press coverage of large-scale attacks on TalkTalk and Sony it is understandable that this misconception exists.
Many Small Business Owners have told me in the past “Nobody wants to hack into my business”, however the reality is that hackers use many techniques to automatically scan large portions of the internet all the time looking for vulnerabilities.
Once a vulnerability is found, whether it is an old firewall, a password that has never been changed from the manufacturers default, or a employees password set to “password”, the automated scanner software will let the hacker know that it has found a new target and then from that point you are at the hackers mercy.
The key point here is that in most cases until the hacker starts trawling through the data, they still don’t know what the name of the business it is, where it is located, or what kind of data you have.
If you are fortunate enough to not have had your company data deleted or perhaps worse publicly disclosed on some website, one thing you can be sure of is that they will then use your internet connection to continue scanning other portions of the internet, so that their identity is kept hidden and so it appears to the next company that one of your own employees carried out the attack.
Over the last decade, many of the tasks described above have become automated and now most tech-savvy teenagers are able to carry out scanning and security breaches from the comfort of their bedroom, with their parents none the wiser. In regards to the TalkTalk incident where over 157,000 of its customer’s personal records had been leaked, the alleged hacker was just 15-years old and supposedly carried out the attack as a dare!
The reputational damage and legal consequences of this are not inconsequential. The UK Government recently stated that in 2015, the worst breaches of small businesses cost between £65,000 and £115,000 on average and when you consider that in the last year 60% of small businesses experienced a cyber breach it is clearly a serious problem.
The UK Government is currently focusing on tackling cybercrime under its CyberEssentials initiative, however there are 5 immediate steps that every business should be taking, including:
- Ensure password policies are in place, forcing all employees to have passwords which are alpha-numeric, a minimum of 6 characters and that they are forced to change them at least once every 6 months.
- Ensure your firewall hardware and antivirus software is regularly updated
- Ensure their IT provider is carrying out regular vulnerability scanning to alert them of any new potential methods that could be used to gain access to your systems
- Ensure all your data is backed up off-site and the recovery of the data is tested regularly
- Ensure you put a Disaster Recovery procedure in place so that your business can recover quickly from loss of data or access to systems