Computer security threats faced by small businesses
What does an SMB need?
These days the internet offers an easy, effective and affordable place for small businesses to not only sell, but promote their goods and services in many ways. They can do this through their own website, or social media sites like Facebook and Twitter.
With the growth and opportunities the internet brings, it also has its downside. As the internet advances, so do the threats posed on small businesses.
Security threats that affect SMBs
Small businesses may lack the expertise to identify and deal with computer security incidents, making them an attractive target for online offenders. There are also the internal threats of IT theft of equipment, and data theft by employees.
Some of the main threats to small business security include, online fraud, denial of service attacks, phishing, malware infections, wireless and internet misuse, unauthorised access and the risks associated with cloud computing. A computer virus outbreak or a network breach can cost a business thousands. In some cases, it may even lead to legal liability and lawsuits.
Malware is a term that includes computer viruses, worms, Trojans and any other kinds of malicious software. Employees and end users within an organization may unknowingly introduce malware on the network when they run malicious executable code (EXE files). Sometimes they might receive an email with an attached worm or download spyware when visiting a malicious website.
An organization that operates efficiently usually has established ways to share files and content across the organization. These methods can also be abused by worms to further infect computer systems on the network. Computer malware does not have to be introduced manually or consciously.
Basic software packages installed on desktop computers such as Internet Explorer, Firefox, Adobe Acrobat Reader or Flash have their fair share of security vulnerabilities, even Microsoft Windows operating system have updates to patch vulnerabilities. These security weaknesses are actively exploited by malware writers to automatically infect victim’s computers. Such attacks are known as drive-by downloads because the user does not have knowledge of malicious files being downloaded onto his or her computer.
Then you get social engineering attacks. This term refers to a set of techniques whereby attackers make the most of weaknesses in human nature rather than flaws within the technology. A phishing attack is a type of social engineering attack that is normally opportunistic and targets a subset of society. A phishing email message will typically look very familiar to the end users – it will make use of genuine logos and other visuals (from a well-known bank, for example) and will, for all intents and purposes, appear to be the genuine thing. When the end user follows the instructions in the email, he or she is directed to reveal sensitive or private information such as passwords, pin codes and credit card numbers.
Employees and desktop computers are not the only target in an organization. Most small or medium-sized companies need to make use of servers for email, customer relationship management and file sharing. These servers tend to hold critical information that can easily become a target of an attack. Additionally, the move towards web applications has introduced a large number of new security vulnerabilities that are actively exploited by attackers to gain access to these web applications. If these services are compromised there is a high risk that sensitive information can be leaked and used by cyber-criminals to commit fraud.
We do not hear much about small or medium-sized businesses becoming the victims of many of these malware infections because it is not in the businesses interest to make it public.
Even though most employees will have a basic grasp of the internet and how computers work it is a different matter when it comes to security of data and of the business. New employees especially need to know about the threats to the businesses and need to be trained on security. Remember that employees checking their emails at work, or visiting the wrong websites can lead to a possible security breach for the business.
The threat to physical systems
Internet attacks and the threats they pose are not the only thing a small to medium sized business should worry about. The threats to physical systems should be considered too. Laptops, smartphones and tablets are trusted with employees with sensitive information about the business. The number of these items that get lost or stolen is on the increase, and with business information and documents on them it leaves the business open to data theft.
USB sticks and DVD disks can be used to leak data, especially by a disgruntled employee. Server and mail servers could also be at risk if not in a secured room.
Internet and mobile security software
For any small business it is important that antivirus tools are reputable, and up to date. It should also be recognised by businesses that anti-malware tools do not provide a complete antivirus/malware solution as they respond reactively to known threats. If it is your first time purchasing an antivirus solution, or you want to change from the one you have been using previously, download a trial version to test first and see which one suits your needs. Businesses should also ensure that anti-malware subscriptions are renewed when required, that the software is kept up to date and that computers are scanned regularly.
The volume of malware that can hit organizations today is enormous. Viruses may spread through email, websites, USB sticks, and instant messenger programs to name but a few. If an business does not have an anti-virus installed, the safety of the desktop computers or workstations will be at the mercy of the end user – and relying on the end user is not advisable or worth the risk.
Note: Scareware refers to fake anti-malware applications that typically appear as a computer pop-up advising that there is a (non-existent) problem with the computer that requires rectifying for a cost.
Staff awareness and training
Staff training and awareness are important factors in tackling business computer security. Most small businesses do not have a policy in place for things including, but not limited to, internet and mobile security, personal use of business resources and the handling of sensitive information.
A user access management policy sets out the access rights for staff on a business’s computer system. Restricting administrative privileges prevents the installation of malware and minimises the extent of damage done if users’ accounts are compromised. Similarly, limiting staff access to only the files that they require will minimise insider abuse of access or the damage caused by unauthorised access. A policy that ensures that system access is discontinued when a staff member leaves an organisation will also assist in preventing malicious attacks.
Security in small and medium-sized businesses consists of more than just blocking spam and preventing malware. Cybercrime is on the increase, and the criminal’s tactics get more complicated and advanced. The cost of IT security is something the business may find hard to cover, but in the long term can the business really afford not to protect the business and customer’s data etc. If a serious attack happened it would most probably cost more.