Top cyber security threats for businesses – and how to protect yourself
In recent years, the shift to remote working caused by Covid-19 combined with the digital transformation of many organizations has created new opportunities for cybercriminals. That’s why it’s essential for all businesses, whether large or small, to understand the top cybersecurity threats and website security issues – so they can take steps to protect themselves. Read on to find out more.
Business cyber security risk #1: Ransomware
Reportedly, 80% of businesses around the world experienced some form of ransomware attack in 2021. Ransomware is software that locks users out of their computers or restricts access to data by encrypting the information. The user must enter a special key code to restore access, and the hacker will only provide the key if the ransom is paid. The most malicious ransomware erases all user data, even if the ransom is paid.
Many small or medium-sized business owners believe they are small fish in an ocean of corporate whales that are far more appealing to criminals. They read about high profile cyber attacks on large organizations and feel safe by comparison, but large companies have learned the hard way to fortify their protection against cyber intruders and harden their defenses against future attacks.
As a result, cybercriminals can find it easier to target SMEs, which often have minimal protection in place and lack the knowledge to prevent data theft from their computers. Passwords are up for grabs, u, as is information like bank account details, residential addresses, and even social security numbers. Armed with this information, cyber thieves can drain funds, steal identities, and launch cyberattacks against businesses and even governments.
How businesses can protect themselves against ransomware
Layer security measures: To reduce the risk of ransomware, take a layered approach to cybersecurity. This means using a variety of security tools in combination with each other. For example, use a good quality antivirus on every device and keep it up to date, install a firewall, and employ spam filters and cloud data loss prevention. Using a combination of tools means that if one fails, there are others in place to act as backup.
Backup your data: Make sure your business has a full offline backup of your system which is up-to-date and separate from the main network. This will allow you to access your data even if your business is held to ransom. Test your backup regularly to ensure it will work when you need it.
Review your BYOD policy: With the shift to remote working, employees sometimes use their own laptops or mobile devices to work and access the company network. This carries risk since these devices may not have proper antivirus or other security software installed. If staff work on the go, they may access public Wi-Fi networks which are not secure. To counter this, you can restrict network access to company-issued devices and require employees to access the network through a VPN or Virtual Private Network.
Business cyber security risk #2: Phishing
Phishing is another significant cyber threat facing businesses. Phishing refers to attempts to obtain sensitive information such as usernames, passwords and credit card details through bogus emails that are designed to look like real ones, or sometimes through fake websites. Traditionally, phishing scams were carried out via email. However, in recent years, more phishing scams have been carried out by text message (known as smishing) and phone calls (known as vishing).
The term spear phishing is used to refer to phishing attempts targeted at a specific individual or company. Cybercriminals use social engineering techniques to personalize messages to their targets, making them appear as though they are legitimate emails from known contacts. They use various sources of online information – such as social media or company websites – to build up a profile of their targets. They might even phone a business posing as a customer to obtain bank account details and so on.
Spoofing emails often go directly to a company’s accounts manager with a request to disburse funds to a customer's bank account. The email provides the bank account information and fund transfer details. Unsuspecting managers have sent amounts ranging from a few thousand dollars to a few million dollars to the bank accounts of cybercriminals.
How businesses can protect themselves from phishing
Consider your digital footprint: Think about the information your business makes publicly available online – that is, your digital footprint – and how this may expose staff members to this type of crime. For example, listing all your senior staff with links to their LinkedIn profile and their email addresses and telephone numbers increases the risk of becoming a phishing target. (You can read more about LinkedIn privacy concerns here.)
Use email filters: By itself, an email filter doesn’t guarantee that you won’t receive phishing emails, but it does increase your protection. Email providers offer a range of spam and junk mail filters, so it’s worth researching the market before choosing the right provider for you.
Use antivirus: Having a comprehensive and up-to-date antivirus installed on every device will help to protect your business from phishing attacks as well as a range of other cyber threats. An antivirus with anti-phishing capabilities will scan the attachments of emails to check whether they are risky.
Be alert: Look out for the tell-tale signs of phishing. For example, an email from your bank asking you to update personal details is unlikely to contain spelling and grammar mistakes. If an email tries to create a sense of urgency – for example, by telling you that your account has been hacked and needs to be reset immediately – then it could be warning sign. If a message contains a URL, hover your mouse over the URL to check that it is leading to the correct page. It’s also important to make sure that the URL has an SSL certificate and begins with HTTPS. In general, if you receive an email from an unknown sender, don’t open any attachments contained within it.
Business cyber security risk #3: Weak passwords
Another significant IT security risk for businesses is employees using passwords that are weak and can be easily guessed. Using weak or easy-to-guess passwords, or using the same passwords for multiple accounts, can lead to sensitive data or financial information being compromised. Small businesses can be at particular risk of employees using weak passwords because of less awareness about online security risks. An average of 19% of enterprise professionals use easily guessed passwords or share passwords across accounts.
Hackers write programs that apply dictionaries full of millions of passwords in their efforts to gain forced access to the IT systems of individuals and businesses. These are called brute-force attacks and they have a high success rate at breaking into computers. Once a hacker finds the key to one software application, then the probability of gaining access to other accounts with the same password is high.
How businesses can protect themselves against weak passwords
Introduce a strong and technically enforced password policy: A strong password is made up of at least 15 characters, including a mix of lower- and upper-case letters, numbers, and special characters. Users should avoid simple number sequences such as “12345,” or names of spouses, children, or pets in a password – since a hacker can easily obtain this information from social media. Some companies require employees to change their login passwords at least every 90 days.
Use a password manager: Your employees should consider using a password manager to generate and maintain lengthy, complex passwords that can be pasted into the login pages of applications.
Enable multifactor authentication: Multi-factor authentication or MFA ensures that users need more than just a password to gain access to business accounts. This involves additional verification steps, such as having a passcode sent to a mobile device. This additional layer of security helps to prevent attackers from accessing business accounts, even if they correctly guess a password.
Change default passwords: A common mistake is not changing the manufacturers' default passwords on smartphones, laptops, and other types of IT equipment. Change all default passwords before devices are distributed to your staff. Regularly check devices and software to detect unchanged default passwords.
Business cyber security risk #4: Mobile devices
Businesses often provide smartphones, laptops, and tablets to their staff to enable flexible and remote working. As a result, more of our data is stored on tablets and smartphones than ever. These devices are as powerful as traditional computers and – because they are mobile and therefore leave the safety of the office and home – need even more protection than desktop equipment. Yet within many companies, most mobile endpoints still lack protection against threats like phishing, malware, and mobile-OS exploits – making them one of the top cyber security risks.
How businesses can protect mobile devices
Switch on password protection: Use a complex PIN or password to prevent the average criminal from accessing your phone. Many devices now include fingerprint or facial recognition to lock your device, reducing reliance on passwords. These features are not always enabled by default, so check that they have been switched on.
Make sure lost or stolen devices can be tracked, locked or wiped: If a device is lost or stolen from an employee, you should be able not only to track it but also remotely delete everything on it. Passcodes can deter thieves for a short while but being able to wipe any valuable information from the device before they get a chance to see it eliminates the risk. Always make sure that this feature is enabled on every mobile device your employees use.
Backup data: Just as you backup your computer data regularly, you should also backup data on your company’s mobile devices. If a device is lost or stolen, it’s reassuring to know that your valuable data is safe and can be restored.
Keep devices and apps up to date: Make sure you have the latest versions of software and apps to ensure you benefit from the latest security patches.
Create a mobile security policy: Before any employee begins to work from a mobile device, set out an acceptable usage policy in line with legal regulations. Guidance on what to do if a device is lost or stolen will mean staff know how to act and will hopefully do so promptly. Ask your employees to read and sign a copy of the policy before they start using a mobile device for work to show they are aware of the risks and how to stay secure.
Always encrypt data: Enabling encryption on business mobile phones is essential. Mobile device encryption works by converting data held on your phone into an unreadable form. Similar to password protection for phones, users need to enter the encryption PIN or password to decrypt the data. Modern smartphones typically come with a level of password protection and encryption, although some are more secure than others. For example, with Android, when you create your passcode, you are asked to turn encryption on as an option. Enable encryption on all physical devices, and support this with data encryption software where needed.
Business cyber security risk #5: Human error
According to a 2021 study by IBM, human error accounts for 95% of cyber security breaches. In other words, unintentional actions – or lack of action – allows breaches to take place. Often, this means simple errors like clicking on suspect email attachments, visiting dodgy websites, or using weak passwords or the same password for multiple accounts (and therefore, there’s a significant overlap with other risks outlined in this article, since human error is often the common thread). Essentially, cybercriminals prey on human weakness.
How businesses can protect themselves from human error
Provide training: Most human error is a consequence of employees not knowing the risks. You can reduce human error through effective cyber security awareness training, including educating employees about the risks of social engineering. The aim should be to raise awareness of cyber security threats to business so you can instil a good level of IT etiquette. Staff training, a regular email or intranet newsletter, or at work induction courses will all help.
Reduce password load: While a strong password policy is essential, the best way to reduce human error here is to decrease the number of passwords in the first place. This can be achieved by using password managers - with multi-factor authentication turned on to increase security - and by switching to devices with biometric authentication such as fingerprint ID.
Smaller businesses can be especially vulnerable to online security risks
Smaller and medium sized business can be especially vulnerable to cyber security threats. This is because:
- They often don’t think they will be targeted and therefore aren’t prepared.
- They can have outdated systems or a lack of security protocols and training, which make them easier to hack.
- They are less likely to have large, dedicated IT teams who can stay on top of the latest IT security risks and website security issues.
Assess the cyber security risk for your business
To evaluate the top cybersecurity threats to your business, start by running an assessment of your current security systems. Create an inventory list of assets, including all software and hardware. Generate a list of where data is stored and who has access. Keep this information safe and secure and limit who can view it. Run an assessment of your current security systems to discover where vulnerabilities may be. A business risk assessment will help keep your business secure.
Aside from the tips outlined in this article, two further cyber security practices to follow are:
- Have a cyber attack plan: Be prepared in case of emergency. You want to be able to best protect your business, employees, and customers if you are attacked – so have a plan in place which details what you will do in case the worst happens.
- Stay informed on the latest cyber threats to business: Knowing about the latest cyber security threats as they evolve will help you stay ahead and work out how best to protect yourself.
Finally, endpoint security is a crucial aspect of managing cyber security threats for business. An endpoint refers to any device connected to your network – including laptops, desktops, smartphones, printers, servers and so on. Endpoint security is the process of protecting endpoints used for work purposes from cyber security threats. Cloud-based endpoint security software is ideal for small and medium sized businesses since it requires fewer in-house resources to manage and fewer commitments upfront but provides continuous monitoring and the ability to monitor your endpoints from anywhere.
Read more about Kaspersky’s endpoint security solutions here.
Kaspersky Endpoint Security received three AV-TEST awards for the best performance, protection, and usability for a corporate endpoint security product in 2021. In all tests Kaspersky Endpoint Security showed outstanding performance, protection, and usability for businesses.
Related articles and links:
- What is IoT and IoT Security
- Threat Intelligence
- What is Advanced Persistent Threat, Signs of APT
- What is Endpoint Security?