Navigating the threat landscape
As cybercriminals develop more sophisticated malware, it is imperative for SMEs to ensure they put proper safety measures in place.
In October this year, cybersecurity firm FireEye announced an overview of the threat landscape in the EMEA (Europe, Middle East and Africa) region for the first half of 2016, in its latest Advanced Threat Report. According to the report 96 per cent of global organisations were unknowingly breached as threats increasingly evade traditional security products. The report explores how nation-state based threat actors and cybercriminals conduct espionage and target organisations in the EMEA region, and highlighted that organisations in Saudi Arabia, Qatar and the UAE were among the most exposed to advanced targeted threats in the Middle East.
“SMEs are the predominant target for cybercrime as a service, because cybercrime can be profitable,” said Peter Tran, GM and Senior Director Worldwide Advance Cyber Defence Practise at cybersecurity strategy firm, RSA. Cybercriminals are commoditising viruses and malicious codes that an unsophisticated criminal can use against smaller businesses because they are an easier target. Creating these tools can earn cybercriminals up to $1 million per year.
Smaller businesses are at a particular disadvantage for a number of reasons, which include staffing, according to Rich Bolstridge, Chief Strategist of Financial Services, Akamai Technologies. Finding the right people for security and tech positions, even in large enterprises anywhere in the world, is definitely a challenge. This is felt more so in the MENA region where first of all there is a distinct lack of talent, and second, SMEs do not have the ability to develop relationships with universities and some of the talent pipelines to source the candidates with the right skillset as they becomes available.
“Once security personnel have been hired they have to be retained and they need to be kept busy in a small enterprise where they are unlikely to see the action they would in a large company. The level of cybersecurity activities, and perhaps the attacks being dealt with as an SME, will not be as challenging overall for them to deal with,” Bolstridge said.
He added that a key challenge facing SMEs is to understand threat intelligence because there is so much information surrounding comprehending what the risks are. The first thing that an SME needs to do is a risk assessment; some SMEs are handling very sensitive data and by taking an inventory of their assets and assigning a risk score, they will have a better understanding of the impact a breach would have on their business.
“If the SME has a strong online presence, such as retail or ecommerce business, the owner needs to look at what the cost of downtime will be if their business presence is unavailable for a day or even an hour,” he said.
Bolstridge added that for a business owner to assume their data is secure because they are smaller and therefore under the radar, is a misguided approach. Attackers understand that smaller businesses are often not well-defended, but they still have valuable assets, whether they are personal records, financial data, credit card information, addresses, or usernames and passwords.
Minimising human error
The FireEye report found that ransomware is an increasingly common threat to organisations in the region and a favoured tool in extortion campaigns. The first half of 2016 saw a major spike in ransomware activity, compared to the same period in 2015. As prevention technology improves, ransomware creators and cybercriminal groups quickly move on to new variants.
Bolstridge said the first, and obvious, way SMEs can mitigate the threat of attack is by limiting access to assets. Business owners need to decide which members of their team require read access, update access and full access control, and limit admission to these assets accordingly.
“Using two-factor authentication for any kind of sensitive data is recommended. Many vendors offer two-factor access for the cloud services that they offer, or they will offer a text message authentication when a client logs in from the website. SMEs should take advantage of these extra security measures where they can,” he said.
His second suggestion to SME owners is to follow the data–know where company data is going at all times. If staff members are taking laptops that have customer data to and from the office, it is prudent to ensure that protections are in place. Using full-disc encryptions on these laptops will prevent a breach of records in the event that the laptop is lost or stolen.
Tran added that SMEs are not harnessing their power as a collective by coming together and sharing information about the threat landscape the way larger organisations do.
“The more unified SMEs are within their respective industries, the more information will be available to them regarding the threat landscape, best practices, and what other businesses have done in certain situations. They’d be surprised at the help that is actually available to them; they have just never reached out,” said Tran.
In terms of investing in security, a concern for many SMEs with limited resources, Bolstridge recommended implementing a good Denial of Service (DoS) protection system, which is a secure way to prevent the attack. Denial of Service (DoS) attacks occur when an attacker makes the web servers unavailable to serve up the web sites they host to legitimate visitors. For some time, it was thought that these types of attacks were generally used against large corporations, government sites, and activist sites as a form of protest to disrupt their web presence. However, more small and medium businesses are beginning to see their online presence disrupted by this type of attack.
Finally, the executives of the company should be briefed once a month on the threat landscape and what steps are being taken to protect company assets, and that should be a non-negotiable, Bolstridge said.
Targeted attacks in the region:
19 % –organisations in Saudi Arabia were exposed to at least one targeted attack.
14 % –organisations in Qatar were exposed to at least one targeted attack.
11 % –organisations in the UAE were exposed to at least one targeted attack.
28 % –government organisations were exposed to at least one targeted attack.
Advanced Threat Report by FireEye