Social distancing has rapidly changed the way businesses operate, with many companies adapting to remote working in a matter of weeks. Needless to say, this has not gone unnoticed by cyber criminals who, assuming that IT defences will be affected, have been heavily targeting SMEs in a range of sectors.
DynaRisk’s intelligence team have seen SMEs targeted in various ways:
- Unprotected and misconfigured servers have been accessed and the data published online
- Sophisticated phishing attacks targeting employees
- Ransomware attacks have significantly increased
The financial impact of the COVID-19 pandemic means smaller workforces as companies have been forced to cut costs while we weather the storm. However this has a number of consequences and by reducing manpower and investment in cyber defences, SMEs are facing much bigger payouts rendering any cost saving exercises useless.
“It won’t happen to us”
Protecting your company’s digital assets and client data is of utmost importance to any business. SMEs are particularly appealing to cyber criminals because they lack essential resources - technology, staff training and expertise. This assumption is backed up by tonnes of research; PolicyBee revealed that 74% of SMEs do not put any budget aside to deal with the aftermath of a cyber incident and a further 43% do not have any sort of recovery plan in place.
Many cyber attacks result in system outages and potentially weeks of downtime. Not only does this have huge financial implications, but reputational damage too. It’s therefore no surprise that 60% of SMEs don’t recover from cyber attacks. So why are 43% of small to medium sized businesses waiting for an attack to happen?
How to manage your company’s cyber response strategy
It’s crucial to understand your business’s systems and processes. Start with the following:
- Prioritise your assets in order of most critical to least and establish what happens if your business no longer has access to key information and systems. If your central database containing client credit card details was stored on a misconfigured server and therefore exposed, this should be a top priority.
- Identify the systems in place and tools your staff use. If each were to be compromised, what information would be leaked and how could that information be used?
- How many staff have admin privileges?
- Do you provide training to employees to ensure their cyber hygiene is up to par?
- Does your remote working policy outline appropriate digital behaviours and highlight appropriate and inappropriate use of company devices?
Develop a comprehensive incident response plan
Businesses should form incident response strategies that tackle a range of possible cyber attacks. The increased security risk of remote working reinforces the need to have a plan in place if something goes wrong. A recovery plan provides clear instructions for your employees and aims to shorten recovery time in the event of a security incident. Your plan should include:
- Roles and contact information for the personnel in your incident response team, including external contractors.
- A list of actions each person or team is responsible for and a timeframe in which those actions need to be taken. For instance, one person is responsible for the list of external people that need to be contacted, and another is responsible for shutting down the website if it has been compromised. This way everything can be done simultaneously ensuring all bases are covered.
- A client facing strategy including a response if the incident has resulted in the exposure of customer data. Recovery steps can include forcing a password reset for your entire database if passwords were exposed.
- A list of checkpoints to be completed in any post-incident analysis - identifying what happened can prevent similar situations in future.
Businesses must determine the causes of an incident in order to respond accordingly. This can be done by running various checks of the affected system(s). There are various signs that a cyber incident has occurred including, computers running slowly, users being locked out of their accounts or being unable to access documents, messages demanding a ransom for the release of files, redirected internet searches, requests for unauthorised payments and unusual account activity.
- After identifying the type of attack and what kind of information was affected, follow the actionable steps according to your plan based on the types of information stolen.
- Following a cyber incident, it is important for the company to formally report the incident internally and externally within 72 hours.
- Certain incidents are legally required to be reported to the Information Commissioner's Office.
- Take legal advice - particularly if high-level sensitive data was compromised as there may be several avenues for recourse.
- If you have a cyber insurance policy, the costs of the security incident may be covered.
- Monitor your company’s data on the Dark Web to track whether or not the information in question is posted on hacking marketplaces.
Learn from your mistakes
Preparing a retrospective report on the incident will highlight vulnerabilities. By comparing and reviewing the actions taken and devising a list of what went well or could be improved, you can enhance the company's response plan for any future security events. For example, if the IT team is outsourced, it is a great opportunity to assess their performance.
How DynaRisk can help
DynaRisk's intelligence team is continuously striving to recover compromised records and can provide a bespoke monitoring service. This involves crawling the Dark Web and well-known hacking forums for mentions of your company’s data, allowing you to stay ahead of potential incidents or monitor the knock-on effects of something that has already happened. Complete our enquiry form to discuss how data monitoring can benefit you with a member of our sales team.