Data breaches are occurring at a rapid rate, It seems that even passing week another big fish in the pond has been hacked. So if the richest companies are being compromised, what hope is there for businesses that don’t have the funds to implement adequate cybersecurity defenses?
However, you may not need to. First, you have to determine what is adequate for your business. The Information Commissioner’s Office (ICO) has guidelines that enable them to assess whether a company has met IT security compliance requirements.
The parameters are determined by a number of factors, including the amount of sensitive data a company stores and the nature of the data. For example, as you can imagine, financial and medical firms should meet the maximum security requirements. A small business that only collects email addresses, on the other hand, has a far lower threshold.
That doesn’t mean that small business owner should hold back from implementing an adequate IT security perimeter. On the contrary, two-thirds of companies face at least one form of a cyberattack a day.
And a data breach could spell the end of your business. Under the EU’s GDPR, firms are obligated to report a data breach to the ICO and to all affected parties; customers, employees, suppliers, investors, patterns, etc.
The ICO will most likely issue a penalty. The amount of the fine will be determined in relation to the strength of your cybersecurity defenses. For firms that implement the best IT security they can with the resources they have, the ICO is more likely to be lenient.
However, it’s not usually the fine that cripples a company financially. It’s the loss of revenue. A data breach can damage your reputation. Customers leave and investors pull their money out.
Cybersecurity firms report that around 60% of companies close their doors following a data breach. The cost of investigating the cause of a data breach together with the loss of revenue is a financial strain.
Although it is evident that a data breach can devastate a company, 80% of IT professionals do not believe their company has sufficient protection against threat actors.
Hackers Using Sophisticated Technologies
In truth, there is only so much that a cybersecurity team can do for a business. They have to rely on technologies that identify known viruses. But crack hackers use sophisticated technologies and techniques that enable them to come up with new ways of exploiting vulnerabilities in a business network.
A 2019 comparative study found that the most efficient antivirus products capture 90% to 98% of malicious codes. However, cybersecurity experts are increasingly finding rare programming languages designed to evade detection from existing antivirus software.
Whilst you could argue that antivirus software is, for the most part, effective, it only takes one data breach to bring a company to its knees. And there’s a 2%-10% chance of that happening. It is estimated the average company receives around 130 attacks a year.
The Rise Of Ransomware
A report published by the Institute for Security and Technology found the number of ransomware attacks increased by 300% between 2019 and 2020. After phishing, it is the second most favored method for hackers.
The government and industry dissuade companies from negotiating with criminals. However, 82% of firms in the UK confirmed they paid hackers for the return of their data.
Ransomware attacks encrypt business data so the content can no longer be read by users. Malicious actors then demand payment from the company in return for their critical data.
There’s no doubt that cybercrime can be a lucrative business for malicious actors on the top of their game. The average payout by a small business is estimated to be over $100,000.
New Spyware Attacks
Technologies used with malicious intent continue to evolve. Last year, Pegasus Spyware was found. This year, hackers have been dropping files infected with malicious malware into Microsoft SharePoint, OneDrive and Teams.
Pegasus spyware is said to be used by government agencies to spy on civilians. The Guardian newspaper in the UK reported that Pegasus software “can record your calls, copy your messages and secretly film you.”
Independent journalists have also revealed how government officials are exploiting the latest spyware technologies to conduct surveillance on over 50,000 business executives, activists, journalists, politicians, and government officials.
The Pegasus program is thought to give government agencies the ability to infect any phone they choose and retrieve any data stored on the hard drive; photos, videos, private messages, social media updates, passwords and audio recordings.
The Washington Post reported that Pegasus can be used to recover data stored on a smartphone with a single text message.
What happens when this technology falls into the hands of cybercriminals?
How Bad is Cybercrime Really?
It appears the biggest threat to the average business is from a government agency. Corporate giants also use hackers to conduct corporate espionage. It’s not unreasonable to expect the technology created by the best hackers and deployed as “ethical hackers” find its way onto the dark web.
In most instances, cybersecurity firms will have upgraded their anti-malware programs before malicious malware falls into the hands of bad actors that target SMEs. You should expect to be secured from a digital perspective.
However, you are not safe unless your most vulnerable gateways are closed. And the soft underbelly of any IT security strategy is your employees. Around 90% of data breaches are due to human error.
Providing your staff with cybersecurity awareness training should be a priority for firms of all sizes. If end users know where attacks are most likely to come from, they know to be alert to the danger when something looks suspicious.
Cybersecurity training should include the technologies and techniques hackers use to target companies, how to identify potential threats and where to report suspicious incidents.
It would be foolish for any business to ignore cybersecurity. However, the threat of a data breach is arguably overblown by mainstream media and the pro-cybersecurity press. All you can do is implement the best cybersecurity you can with the budget you have available.