Survey finds 48% of businesses across Ireland have no cyber security policy. The lack of awareness among small businesses needs to be addressed.
Magnet Networks Cyber Security Awareness Survey found that 171,000 businesses in Ireland could be vulnerable to cyber attacks.
It was found that 48% of all businesses have no cyber security policy in place. A further 27% of companies acknowledged they required more efficient security or they are completely unsecure.
Speaking to the Council Journal, Cyber Security Expert James Canty of Magnet Networks said:
“As an internet service provider we’ve seen the significant impact in the rise of cyber crime on our customers. For example, we have had a significant number of customers ringing us up with issues they may perceive to be slow speed and when we do some further investigation, what we’re seeing is issues with DDoS attacks, that their broadband is being used without their knowledge. The real reason is, there’s no underlying issue other than that their broadband is being used for a DDoS attack on a website they have no knowledge of. Their perception is that their broadband is just slow.”
A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.
These are the type of issues Magnet Networks experienced more frequently over the last 18-24 months.
The company’s move into the cyber security space was driven by a desire to help their customers with the growing number of cyber attacks.
Magnet Networks found that an overwhelming amount of people have this general perception in the business community that unless you’re a large business or have a very significant enterprise you’re not a target for cyber criminals.
According to Mr Canty, this is not the reality:
“We found the opposite to be the case. The vast majority of cyber attacks that are launched are on the small businesses. Small businesses, whether they realise it or not, have things that are of value to cyber criminals. They have email addresses, names and contact details, they have lots of different pieces of information that are of value to cyber criminals. They also have very little cyber security in place and typically so, it’s quite easy for cyber criminals to get into small businesses and be able to extract data. Ultimately, what they’re trying to do is potentially get more sensitive information, whether that’s access to a company’s bank account or an individual’s bank account from that information.”
In the past two years, roughly 26% of companies admitted to falling victim to cyber attacks, with a further 18% unsure if they have been affected.
Only 13% of respondents considered their business as very secure in terms of cyber security.
In addition, 25% of those surveyed said that either the business owner, or no-one at all, was responsible for cyber security in the business.
Not having cyber security in place is a very dangerous risk and awareness on this topic is of the utmost importance, especially for small businesses.
Mr Canty went on to explain:
“The challenge that we face as an internet service provider and what we’re trying to discuss is, if you go back to this year, we’ve seen a huge amount in the rise in awareness. The companies that proceed to be targeted, the NHS for example, who are very heavily targeted, your average small business is going to think cyber criminals have no interest in them and therefore, they don’t need to invest, or if they have some form of free antivirus that’s as much as they’ll do.
“The reality of what we’re seeing is very different. If you look at our customers profiles there’s eight times more unsolicited inbound activity on a typical business user’s internet connection and they have legitimate outbound activity going on.That inbound activity is bad guys looking for weaknesses and vulnerabilities on internet connections in order to be able to take advantage. Again, just to give you an idea, you have names and addresses, you have PPS numbers, driver’s license, any government identifiers. They’re looking for any information about gender, race, place of birth, all these types of information are what they’re looking for. They target small businesses because they don’t have a lot of investment in cyber security.”
Magnet Networks survey found that in small businesses with under 10 employees, 68% of respondents have no cyber security policy in place with a further one third of all businesses admitting to having no cyber protection in place.
Nearly three quarters of those surveyed believe that their businesses will be protected simply by better employee awareness. On the causes of growing numbers in cyber attacks on businesses, James Canty said there are merging factors responsible. At the forefront is Bitcoin.
He provides further detail:
“Bitcoin is what allows cyber criminals to monetise the illegally taken information. It’s only with the onset of the cryptocurrency that cyber criminals have been able to monetise this. Ultimately, like all criminals the vast majority of these criminals are in this for monetary gain. There is an element of them who would do this for maybe politically motivated means. It’s like your ordinary criminal who was breaking into houses. The cyber version of that is now someone who has Bitcoin and other cryptocurrencies to be able to extract money out of your wallet.
“They can do it from home in a different country. They could be thousands of miles away. The difficulty for police forces is how do you enforce something like this where you have anonymous cryptocurrencies that are cross jurisdictional and are not governed by any Central Banks. It’s a perfect storm, the adoption of cloud technology, all these things have combined to be able to present opportunities for cyber criminals.”
Individuals, as well as businesses, are targets. Cyber crime has the potential to affect all of us. Information about individuals is now more publicly accessible with the likes of social media.
LinkedIn is an open source of personal information in terms of how you’re sharing. Mr Canty addressed the issue of whale phishing. As an example, if you are a senior executive or a financial director, cyber criminals could see you’ve gone on holidays. They can get access to some of your contacts and send an email as you to significant people asking them to change bank details.
So how can we, in particular, businesses protect ourselves from cyber crime? To rehash, we have to be aware, we have to create a discussion. James Canty likens a monthly fire drill within a company to creating an email campaign as practise for monitoring and pushing employees to be more cautious.
He offered this advice: “Most companies will have a fire alarm drill every month. You can do similar type things with an email campaign. You create a fake Gmail account, for example, and you send around emails to all your employees from a fake Gmail account that looks like it’s semi reasonable and put a link in there to a website. Monitor who has opened that email and clicked on the link. You can start to embed those type of practises to start raising awareness about clicking on links.”
“Ultimately, the weakest link in any business, or in terms of your cyber protection, are the individuals using the technology. When I say technology I just mean computers. Any individual with access to the internet is a potential vulnerability. It’s about making sure you have that mindset in place from day one.
“You need to think of what is your most important set of information, where is it stored, how often is it backed up, can I back it up off site so if I do get hit, you’re not dead in the water or you’re not going to have to pay out exorbitant ransom.”
In 72% of businesses under ten employees, which make up 92% of all companies in the State, network security is looked after by either the business owner, the office manager or, in 9% of cases, no-one at all. 84% of businesses surveyed have anti-virus software installed. In a large proportion of cases the anti-virus software in place will be a firewall.
The new types of malware today make it easier for cyber criminals to get past traditional firewalls, essentially making firewalls ineffective.
To break it down, if you don’t have a good idea of the types of traffic coming in and out of your network you can’t protect yourself. Firewalls aren’t as safe as you think.
70% of internet traffic today is coming in on https. The s stands for secure and what that means is the data is encrypted on that website.
However, cyber criminals now use https for their benefit. If an employee clicks on a fraudulent https link sent to them in an email, it will go straight through your firewall. What most people don’t realise is, if you
have a traditional firewall, all of that https traffic essentially bypasses your firewall and is allowed straight into your organisation. Https is a trusted source by many. We see it all the time.
The likes of Facebook, LinkedIn and Gmail use it. The vast majority of websites you type in today, they use https. Businesses surveyed rated themselves as only 42% aware of their obligations in relation to GDPR regulations which take effect in May 2018.
The EU’s General Data Protection regulations will ensure a stricter policy on cyber security for businesses and fine those who breach these regulations.
On the GDPR, Mr Canty said:
“It places an onus and responsibility on businesses and individuals and makes them personally libel, if you’re a director of a company, to make sure you have adequate protections in place. By adequate protections in place that means state of the art cyber security. If you only have anti-virus running and you get hacked you are going to be in breach of the GDPR and libel for a fine. That is a certainty. You need to put the onus on businesses to at least have a better idea of what they need in place for data protection.
“They also need to consider all the data they are storing, whether it’s customer data or employee data, how do you store it and where it gets stored, who has access to it, all become very important components. You need to have security by default as your mindset in terms of your approach to it. So, if you have employee data or customer data, who accesses it, how did they get access to it, what are the access controls. There’s a range of aspects that you need to consider but the one thing for sure is that if you have an internet connection and you use it for your business, you will be impacted by GDPR.”
It is a challenge for most small businesses as they don’t have the resources to employ full time IT staff. In keeping that in mind, they will have an informal arrangement with someone who pertains to be an IT expert and they will buy a piece of hardware. The piece of hardware is a firewall.
Magnet Networks have found that what is being sold to businesses in these cases is not enough to tackle malware in today’s world. A next generation firewall is a must. Mr Canty is urging businesses to have a few questions prepared for these hardware providers such as asking can they disclose a detailed report showing all of the activity, all of the traffic inbound and outbound on a network on a daily basis. He says if they can’t offer up a report as stated, then how can you be sure they are protecting you?
James Canty concluded with:
“They’re the types of conversation I’m trying to have with businesses and I’m trying to say, look don’t take my word for it, you go and ask whoever you’re trusting to install a piece of security that you’re paying money to and at least ask these types of questions before you pull the trigger and spend money. By spending money it doesn’t necessarily mean you are going to be protected. Apart from having next generation firewalls, it’s the responsibility of the business owner to understand where all your data is stored, who has access to it, how you can back it up, is it anonymised?
“If you have customer data that’s more than twelve months old in your business and those customers are no longer your customers you shouldn’t be holding that data. You need to cleanse your data regularly and if you’re not doing that and if you have a breach in GDPR you are obliged to report it to the data protection officer. The data protection officer will come down and ask these types of questions.
“Part of it is the technology but another part of it is having basic house cleaning and cleanliness. If you have those things in place and you do have a breach, well then the data protection officer is going to say, fair enough, I understand, I can see that you have taken reasonable and relevant depths to comply with the regulations, it was unfortunate and therefore I am not going to fine you. However, if you don’t have these things in place and you are hit, it’s not going to be enough to say well I didn’t know, it’s not enough to say excuse me your honour, I didn’t know. That’s the main reality that GDPR will bring in 2018.”