A new report has found that an alarming number of Australian businesses are being cyber attacked over email, with more than 90% reporting an email-based ransomware attack, business email compromise or spear-phishing attack last year. At the same time, they are lagging in cyber security training for staff.
Small businesses are facing an unprecedented threat of cyber attacks according to a study by security software company, Symantec.
Although it’s usually only stories about hacking into large national and international companies that make the news, Symantec reports that 52.4% of “phishing” attacks last December were against SMEs – with a massive spike in November.
One attack the report highlighted, concerned a small car dealership, that lost $23,000 when hackers broke into its network and swiped bank account information. The hackers added nine fake employees to the company payroll in less than 24 hours and paid them a total of $63,000 before the company caught on. Only some of the transfers could be cancelled.
Increasingly, cyber thieves view SMEs as easy, “soft targets” because too often they have bank accounts with thousands of dollars, a false sense of security about not being targeted, and customers’ credit card information, and other vital data that hackers can easily sell on the black market.
Attacks on these small businesses are made worse because more than 80% of this sector of the business landscape do not have any formal cyber security plan, and up to 70% have no plan at all.
Symantec also revealed that a major source of data breaches in large and small companies occurs when employees unwittingly download keystroke logging programs that can read and steal all of the information on a business’s computers.
Often these keystroke logging malware programs are unknowingly downloaded by employees surfing the internet. In fact, research shows that 40% of all the internet is viewed at work on company computers.
This makes small businesses easy to target and it is becoming a more serious trend as these security breaches are now going for online banking information which can often put small businesses in an untenable position.
So, what should small businesses be doing to protect themselves? Here is a short list of helpful steps:
- Make a real commitment to data security awareness. Engage the assistance of professional security people. It is cost-effective particularly when compared to the cost of a security breach where, unlike private consumers who have their bank account hacked, commercial accounts are not protected by federal regulations. Companies have not generally been reimbursed for funds stolen due to security breaches traced to the commercial business.
- Install proper Firewalls.
- Install security software and keep it constantly updated to meet the latest evolving threats. Identity thieves exploit the fact that some companies fail to update their security software in a timely fashion.
- Train your employees in proper security practices and limit access by employees to sensitive data to only those employees who need to have such access.
- Encrypt all data, particularly on laptops and portable devices that may leave the workplace.
- Do not permit unauthorised devices to be plugged into office computers or laptops, such as MP3 players, smartphones or USB keys. They can be tainted and can download malware onto the company’s computers.
- Maintain and regularly change complex passwords, remembering that this step, although helpful, is of little benefit if you have downloaded a keystroke logging malware program.
- Make sure that when you replace computers and other electronic devices, the hard drives and data are obliterated.
- Shred with a cross shredder all discarded documents containing sensitive information; dumpster diving identity thieves turn your trash into their gold.
