Companies face the constant threat of cyber attack. That’s just a fact and, regardless of the sector your business operates in, it’s one your IT team and CISOs are aware of and confront daily, whether the general staff or board are aware of it.
The bigger players generate the biggest news, and this week has been no exception. The breach of British Airways (BA) systems, flagged last Friday, has been investigated by RiskIQ, who believe that an organized, criminal gang called Magecart were behind the breach.
Initially, BA said that the breach, which affected around 380,000 booking transactions made between August 21st and September 5th, did not include details such as passport number or other travel data, Wired reported. However, BA later confirmed that the data stolen included payment card expiration dates and CVV codes. The twist being that BA doesn’t store CVVs.
RiskIQ believe that the attackers used a cross-site scripting hack, which targeted an under-secured web page and allowed them to inject their own code. The criminals even set up their own SSL certificate for their server, to add the air of legitimacy.
Naturally, a full criminal investigation is currently underway, with RiskIQ presenting its findings to both the National Crime Agency and National Cyber Security Centre in the UK.
If you run a small or medium-sized business (SMB), the temptation may well be to look at the news headlines and shrug. After all, they’re only going after the big companies, right? Besides, the big companies can afford lots of IT security staff and probably have whole departments to tackle cyber crime…
Unfortunately, following that line of thinking is incredibly risky. A study by Kaspersky Lab earlier in September made some alarming discoveries about the risks posed to SMBs in the US. No matter the size of your company, if a criminal enterprise believes you’re making money, your company is at risk of cyber attack.
The Kaspersky report found that 67% of SMBs reported complete or partial loss of corporate data due to crypto-malware. And some 42% of those polled felt that ransomware was the one of the most serious threats that their company faced.
The big ticket hacks and breaches, like Carphone Warehouse, Maersk and the NHS certainly make the headlines, but it’s the day-to-day small scale breaches SMBs that are often ignored, leading to a false sense of security.
Kaspersky found that almost a third of companies polled believed that paying ransoms was the easiest way of dealing with an attack, despite the risk that your data will never be recovered. They also found that a single attack could cost a SMB up to $99,000. That’s quite a hit for a small company.
Of course, the loss isn’t just the initial ransom. You also have to face up to the follow up costs of related losses. Whether that is installing new equipment or updating the software that let you down, replacing legacy software or loss of sales from reputational damage, the fact is that the real costs to any business will always exceed a simple ransom demand.
So what do you do? Well, you can do your level best to mitigate any damage a breach may cause by using offline backups. Yes, it’s a little antiquated, but it works. If you’re unsure, then read up on how Maersk recovered its systems following last year’s WannaCry incident: an offline backup of their software which was in an office in Nigeria. That redundancy made a massive difference to the ultimate bill Maersk faced, although the company still estimates that the incident cost them over $200 million.
Then you can ensure your software is up to date and patch where necessary. Microsoft regularly issues alerts and patches to ensure users reduce their exposure to risk. No, updates aren’t exciting and take time, but they can also save your company a fortune in the long run. Obviously, smaller firms can’t afford dedicated CISOs or IT teams, but simple steps, such as re-issuing passwords and access codes when a staff member leaves, or ensuring that staff always lock their PCs when they leave their desks will go some way to mitigating your risk.
Ultimately, any company is at risk, but a company wide cyber security audit can be a relatively simple procedure and there are plenty of outside resources to help here.
Whatever the size of your business, the onus is upon you to protect it. And the more steps you take, the more your insurer will approve.
By David Rider – Research Director at CRC.