Many SMEs feel overburdened by fast-moving changes in IT, but cybersecurity should never be ignored. Training, policies and a flexible IT that meets staff needs can all minimise the threat of data breaches
The proliferation of computers in the modern workplace brings with it not only great efficiency gains, but also a series of threats such as malware and data breaches. One of the most common reasons for this is, of course, user behaviour – and this behaviour does not need to be intentionally malicious in order to open a business to threats.
Customers, too, are concerned about cybersecurity. A recent KPMG survey found that 83% of consumers worried about which businesses have access to their data, while 58% said that a breach would discourage them from using that business again.
Assuming staff are IT-literate can be a fatal mistake. It may seem in the era of Facebook and smartphones that everyone is a technology expert, but the ability to consume digital services doesn’t mean they understand the nature of cybersecurity – and this applies to staff as much as to customers. Actions taken by staff may result in breaches that can seriously damage a company’s reputation.
Over half of small businesses surveyed by KPMG thought it unlikely or very unlikely that they’d be a target for an attack. This attitude misunderstands the nature of the threat. Firstly, a business may seem too insignificant to attack, but the hackers may have other ideas. One major security breach in the US recently was the massive retailer Target, but the way hackers got in wasn’t Target itself; it was a supplier of air-conditioning to the company.
Secondly, many cyber threats are opportunistic in nature, and often result from specific staff behaviours on the company network.
Danger in the darkness
One of the biggest threats is the growth of so-called ‘shadow IT’, but, happily, this is also one of the easiest to minimise.
Shadow IT is the unauthorised use of systems and services for work purposes, something that is increasingly common with the growth of cloud computing. As a behaviour, it occurs when staff feel their needs are more fully or easily met by installing their own software or services, such as Dropbox for collaboration, instead of using those provided by their employer.
The problem is, not only does it mean vital files can end up being stored in an insecure fashion, but also that staff may retain access to confidential information even after leaving the business.
A survey carried out by security software provider McAfee found that 40% of businesses made unauthorised use of Google Apps, while 36% used Dropbox. In each case, over a quarter of these experienced data breaches of some kind.
The best way to avoid shadow IT getting a foothold is to provide an alternative. While many SMEs struggle to provide a full IT service and often use what IT resources they have running maintenance and fire-fighting operations, there are options. Many third party public, private and hybrid cloud services are now sold into the SME market, meaning both services that staff need and cybersecurity itself can be consumed on a subscription basis.
By providing staff with the tools they need, they won’t feel the need to go elsewhere and add their own applications and services. Training on data protection legislation, particularly in highly regulated sectors and with regard to customer data, should also be performed in order to underscore the serious consequences of a data breach
Bring your own risk
Mobile device management (MDM), whereby smartphones can have centrally controlled security and automatic data erasure policies, should also be considered. The simplest might be automatic erasure in the case of a device being lost, right up to sophisticated partitioning of phones and tablets into work and leisure areas, with controls on the ability to move data from one side to the other. In a world where Bring Your Own Device (BYOD) proliferates, cybersecurity must include not only company property, but any personal devices used for work.
Other staff behaviours – viewing unsuitable material during work hours, for instance – can also be tackled with both training and appropriate access controls on the workplace network. Again, these firewall-based policies can be implemented as a service, rather than requiring the attention of an in-house IT team.
Blocking access to unsuitable material, such as pornography or copyright-breaching streaming websites, is doubly important in an era when anti-virus software has reached the end of its useful life - today’s malware threats come in the form of so-called ‘zero day’ attacks. Zero day attacks use new malicious code each time, meaning traditional AV products cannot keep up with them. The malware itself tends to be distributed via streaming sites, downloaded pirated films and TV shows and pornography sites, and can go unnoticed for months. One tactic used by scammers – ‘ransomware’ – is to encrypt files on the hard drive and then demand payment to un-encrypt them.
Each business needs to evaluate how ‘free’ staff access to the internet needs to be. Should Facebook be blocked, for example? Should phones be allowed on company wifi? The decision needs to be taken on a case-by-case basis by each business, as the more secure the network the more likely the growth of shadow IT - files emailed to personal addresses for work at home, for instance. On the other hand, a completely open network with few access controls is akin to leaving the keys in the door overnight.
The threats may seem overwhelming, but security as a service means even the smallest SMEs can now not only have the same IT resources as multinationals, but they can secure it, too.
- Untrained staff are a threat to the integrity of a company’s data.
- Unauthorised IT services are frequently used by many staff.
- Training for understanding cybersecurity is imperative.
- IT security can now be consumed as a service.
Find out how to optimise your workforce for today’s technology challenges. Download: Attract Top Talent and Drive Value from Your Employees: The Business Leader's Guide to IT Strategy