Over the years, I’ve spoken to many different types of small business owners in the UK, and I understand why, in many industries, internet security is low down their to-do-lists.
IT security is just not a priority for the majority as they are busy working 18 hour days trying to keep up with actually making the stuff they’re supposed to be making for the people who want to buy it.
They’re incredibly BUSY, and unless you work in the technically creative industries such as design or programming where absolutely everyone has to be enormously IT literate to actually survive, then information about viruses or the latest malware tends to be ignored or forgotten. It’s something to deal with, when you have the time…which tends to be never, as there is always something else that has to be tackled first.
Unlike Generation Y and Z, computers and the internet still don’t come naturally to a lot of individuals who have now reached the stage in their career when they are running their own organisation. Perhaps they’ve mastered what they need to know – email, Google, Microsoft Office and their own CRM programme. Everything else is left up to the person who designed their internet site and ecommerce system. My generation will be the last one who hasn’t grown up with using computers in every aspect of their day to day lives. (I remember the day my school got its first computer in the 1980s. It had little hole-punched cards, and we used to fight to feed them into the special slot…)
Many of these owners don’t have the scope or cash to have their own in house IT departments, so they have to handle all their own IT systems themselves and they just don’t have TIME to deal with threats about mysterious, faceless hackers. It all seems a very long way away and not relevant to their company.
Last month on Reddit.com, (the hugely popular social networking site), members were asked if they would personally purchase anything from the organisation where they currently work. The thread was full of individuals writing about the problem of their employers’ poor online security. Some organisations were reported to be actually saving customer data and bank accounts on unprotected excel spreadsheets, allowing employees to take home sensitive and protected information, or using out of date operating systems on their computers with no virus protection at all.
Some CEOs hang on to the fact that internet security doesn’t really MATTER – due to the fact that no hacker would be interested in their small business, or their computers are safe due to having an antivirus programme installed on their desktops. Many first learned about internet safety in the 1990s, and still hang onto these outdated ideas, or “myths”, not realising that in the world of information security things move incredibly fast, and the bad guys come up with new ways of infiltrating systems every day. Only a small percentage understand the nature of current online threats or how to effectively protect themselves from computer malware.
So I’ve gathered together the top six “mythical” statements about IT security that my consultants and I regularly come across when speaking to SMEs across the UK:
My computer will only be infected if I actually actively download some dodgy looking software.
Yes, your computer will probably become infected if you spend your work lunchtimes downloading pirated software to read an illegal copy of the latest John Grisham on your desktop. However, this is not the only way that hackers can access your computer. Criminals often rely upon the fact that your work computers are set to give permission by default to certain types of download. This has led to the phenomenon of “drive-by downloads”. Hackers are able to cleverly embed another webpage secretly in an existing site. If your browser and system is vulnerable to this trick, then the malware is downloaded straight to your PC without you even having to download or click on anything. Another common method is for a hacked site to use a pop up box (usually an advert), which you then close if not interested. However, the act of clicking to close the pop up actually initiates the download. Attacks by cyber criminals are growing. Research from the company Symantec found attacks on small businesses by cyber attackers rose by 300% in 2012 from the previous year, and manufacturing was the most attacked sector in 2012. At 24 percent, it was targeted twice as often as government organizations.
Only dodgy looking websites contain dangerous malware.
Not true. Again, if you are allowed to visit “dubious” websites during your work day, they are more likely to be compromised, but some well-respected sites may be vulnerable as well. (In fact recent research has shown that adult sites are pretty well protected and they are usually better designed and much more secure as the industry needs to protect their customers). Due to the fact that webpages often contain lots of content drawn from different sites, it is very difficult to ensure that all the loopholes are blocked. So, just perusing above board retail sites will still not protect your computer from malware.
I just won’t open any emails coming from Nigeria or use an abandoned USB stick.
Apparently, a little over half of users still believe that email attachments or infected USB sticks are the primary way that hackers spread viruses and malware. While it's still a problem (amazingly the reason that emails from the Government Investment Bank in Nigeria are still circulating, is because some poor souls are still taken in by this particular scam) it is just as easy to get malware on your machine directly through instant messaging, file downloads and visiting websites (see above).
It’ll be fine. I’ve downloaded some free antivirus software / I’m using the stuff that came when we bought our computers.
Some users feel there is no difference between paid for security software for their company and free anti-virus downloads. Unfortunately, whilst the free stuff maybe OK for a single home user, companies really won’t be protected sufficiently to withstand any cyber attack. If you use the trial demo of some security software that came with your machines, and your PC is more than 6 months old, then the demo is probably out of date, and you have not given a security company your authorization to activate or upgrade your protection. So your company is a sitting duck, vulnerable to any cyber-criminal out there who wants to look through your systems.
My computer crashes regularly, but it’s just because it’s old. I’d know if I was infected.
Computer crashes are certainly more common with older computers, but the fact is that over 50% of all PC crashes are a result of spyware secretly installed on your computer. Almost all Internet users around the world are convinced they will know when their computer is compromised, when in actuality, modern malware is deliberately designed to be very hard to detect.
No hacker is going to be interested in me, or my business.
“No one is interested in my small company. I don’t deal with any big companies, all my suppliers are local and I have a small customer base.” I hear this statement all the time!
Even if you are a small manufacturer in the back of beyond, hackers are STILL interested in the stuff on your machines. You will be keeping sensitive customer data, (addresses, phone numbers, email addresses – hopefully not credit card details – see our PCI DSS page), employee information such as tax forms and bank account details and supplier information such as bank details and email addresses. The list is endless. You will probably be logging into your company bank account or doing your taxes online. You will be leaving your digital identity on your computer, and there is nothing criminals love more than a valid online identity. Your computers are a treasure trove for hackers, disgruntled ex-employees or competitors.
Thinking that you’re too small to attract the attention of hackers is the number one mistake and one that cyber criminals will only be too pleased to exploit.
For impartial expert advice on your small business and the threat of cyber security please contact 2-sec on 0844 502 2066 or email contact@2-sec.com