Cyberattacks are an ever-increasing threat in the FinTech world and cybersecurity has become a top priority for most large businesses. However, SMEs mistakenly believe in the myth that their risk is low, therefore becoming a prime target for cybercriminals.
When organisations fail to detect and block a cyberattack, they can remain unaware that the attack happened for a considerable time, it said. Indeed, the US National Cyber Security Alliance found that it takes 206 days on average for a company to learn of a previously unprevented breach and 60% of these businesses are unable to remain open over six months after a cyber attack. In the current environment, it is common for cyber attackers to deploy ransomware to vulnerable systems, spread throughout the network and encrypt all data on infected machines, which can then be held for ransom.
To ensure companies don’t fall into them, KYND compiled this list of common myths and misconceptions about cyberattacks that make SMEs increasingly vulnerable to cyberattacks and potential solutions for risk mitigation.
Highlighting some of the misconceptions in a new blog post, it said that an increasing number of organisations believe that they’re too small to be a cyber target. This misconception can cloud a company’s judgment putting it at regulatory and reputational risk. This myth is fuelled by the natural focus of news stories being on large scale attacks on multinational corporations known to the public eg. Bombardier, Apple, and Accellion.
While SMEs believe larger firms are a bigger target for cyberattacks, this could not be further from the truth. Nearly one-in-three breaches included in Verizon’s 2020 Data Breach Investigations Report (DBIR) calculations involved small to midsize businesses. In addition, 43% of all cybercrime occurs against small businesses and around half of all global cyber-attacks are reportedly against organisations with fewer than 250 employees. Furthermore, most cyber attacks aren’t targeted at specific companies – instead, 54% of cyberattacks are from automated tools casting a wide net across the public internet to find vulnerable hosts and ports.
These statistics pour cold water on the notion that cybercriminals only target large enterprises, or that criminals will deliberately ignore smaller or non-profit-making organisations. In fact, the risks for SMEs are likely higher as there are no dedicated cybersecurity departments at hand as there are in much larger organisations, the blog said. However, there are measures which can be taken to prevent and mitigate such risks. The first step to a more secure digital future is to admit that you might be at risk, and then to take action to remedy it.
Another misconception pointed out by KYND is that many companies believe that they “don’t hold anything of value” or that it is simply not worthwhile to a potential attacker. However, almost all organisations will hold some client data, internal records and communications, sensitive employee details, financial records and operational systems. It’s no secret that data is valuable, whether it’s personal or for business operations and should be protected. There are proactive measures which can be taken to effectively mitigate risks. KYND suggested using multi-factor authentication, and basic external email security. In addition, companies can secure their network and all their devices using endpoint protection, configured firewalls, segregating sensitive data and encrypting all data where possible. It’s also important to back up core configurations, systems & data, keeping backups separate from your network, ideally encrypted and protecting access with multi-factor authentication, it said.
Many also believe that, if they have reliable antivirus software on their computer systems, they’re safe from cybersecurity threats. While antivirus will play a part within an organisation’s overall cybersecurity, it is not sufficient. The role of the traditional antivirus is to defend against known malware threats but it cannot defend against threats it cannot identify. Indeed, around half of organisations have identified exploits and malware evading their antivirus solution. Even Symantec, one of the leading antivirus companies, themselves admitted that a simple antivirus is hardly enough.
KYND said, “Investing in an endpoint protection solution (examples include CrowdStrike, SentinelOne, CybeReason, Carbon Black) will allow your organisation to protect your devices (often called “endpoints”). These are also called ‘Next-Generation AntiVirus’ (NGAV) which supersede the traditional antivirus with a combination of artificial intelligence, behavioural detection, machine learning, and exploit mitigation so that known and unknown threats can be anticipated and prevented.”
Another common myth is that cloud providers take care of cybersecurity. While this is true to an extent as these advanced providers protect their own infrastructure, this does not extend to content and services hosted on the platform itself, or to the configuration or setup of that infrastructure.
In this instance, managing cybersecurity risks requires knowledge and competence with the technologies offered by the cloud provider in order to secure them. While the particular settings for each cloud-provided service will vary, there are some typical checks detailed by KYND which should be carried out when deploying to a cloud environment. For instance, checking the settings for access to services and data is essential. Many organisations will use the “public” settings for their cloud storage & systems, which is a rookie mistake when hosting sensitive data or services. Furthermore, it’s important to restrict remote access to your cloud environment/servers with a VPN, so that only people and applications within the business are able to interact with it, it said.
Indeed, at the heart of security, it’s not necessarily about what product a company uses, but the configuration of its infrastructure, devices and network which is the primary factor in determining and mitigating risk. “That is, you’re only as secure as your configuration,” it said.
Read the complete blog post here.
Copyright © 2018 RegTech Analyst