Posted: Tue 29th Mar 2022
Cyber crime is so prevalent now that failing to protect your small business against it could be very expensive – and not just financially. If you suffer a data breach, it can stop your business in its tracks – halting your operations, harming your reputation, and wearing away the trust and goodwill you'd built up over time with your customers.
In this blog, we explain what data breaches involve and how they happen. We also look at what you can do if your data is stolen and what measures you can put in place to keep your data secure.
A data breach is when someone accesses, changes or deletes your data without permission, usually because of weaknesses in your IT security.
Generally speaking, there are three types of data breach:
A malicious attack – either by cybercriminals or 'bad actors' inside your organisation
A breach due to human error – by careless employees or contractors, for example
A systems glitch – this might be because a business process you have in place has failed
The following are the most common causes of data breaches within businesses of all sizes.
This is when a cybercriminal floods your website or network with internet traffic so its resources become overwhelmed and genuine users are prevented from accessing it.
Cybercriminals use this type of malicious software (malware) to encrypt data on your network, essentially locking it away and stopping you from gaining access to it. They then demand a ransom payment to restore it.
In some cases, the cybercriminals view, copy and/or export data from your network before encrypting it, then threaten to leak it publicly if you don't pay the ransom. However, it's important to know that paying the ransom doesn't always guarantee that the cybercriminals will restore your data.
Many websites and apps use SQL databases to store important and sensitive data, such as customers' usernames, passwords and credit card details. In an SQL injection attack, cybercriminals exploit flaws in your IT security to make changes to how an SQL database works. Those changes then allow them to access, modify and delete data as they wish.
This is when a cybercriminal contacts you by email, phone or text message, pretending to be someone you know. They might ask you to open an attachment or click a link that – unknowingly to you – contains malware or a virus, or fool you into giving them valuable data.
Phishing is the most common cyber attack. In the government's Cyber Security Breaches Survey 2021, it found that 82% of the businesses surveyed had suffered a form of phishing attack.
This means someone – often an employee or contractor – who abuses their position to access and then leak sensitive information. Typically, they do it for profit or to harm the organisation in some way.
Unlike a criminal insider, an accidental insider is someone who unintentionally causes a data breach, whether it's through falling victim to a phishing scam, using a personal device on a company network without authorisation, or using weak passwords, for example.
Data breaches can happen if someone within your business loses a laptop, hard drive, mobile phone or USB drive containing sensitive information, or has such a device stolen from them.
If you have the misfortune of suffering a data breach, here are some measures to take to make your business more data-secure:
Change all your passwords. Do this on every account you have, regardless of whether they were breached. Choose long, complex passwords and use two-factor authentication (2FA) where possible. Read more about password managers and how to choose one
Contact your bank or other financial institutions. Tell them that you've suffered a data breach and ask them to check your accounts for anything that looks like fraud. Ask them to send you fraud alerts and consider changing your account details or replacing cards.
Update your software. Secure your systems and fix vulnerabilities by installing updates.
Be proactive. Learn about potential threats and stay alert to signs of suspicious activity.
In 2021, the average yearly cost to a business that had lost data or assets in a data breach was £8,460. That shows the impact of these breaches can be devastating, particularly for small and micro businesses that don't have the security of huge cash flows or budgets.
Fortunately, there are steps you can take to make it harder for cybercriminals to break into your IT systems and steal your data.
Install firewalls. A firewall is your first line of defence. It stops any unauthorised traffic or malicious software from entering your network.
Install antivirus software. A comprehensive business antivirus solution will block, detect and remove threats like malware, and should also protect you against phishing scams.
Install encryption software. Protect sensitive data by making it so anyone without authorisation to see the information can't read it.
Use a virtual private network (VPN). Setting up a VPN allows you to send data via secure channels and stop it being intercepted by cybercriminals or hackers.
Use strong passwords. Make it standard practice for people on your network to use complex and unique passwords and change them regularly.
Make mobile devices secure. If employees use personal devices for work, you have far less control over security (passwords, access, use of public wi-fi and so on). Put in place a bring your own device (BYOD) policy that sets out clear expectations for each employee, and spend some time on training to highlight the potential threats.
Educate employees. Highlight the importance of cyber security and train employees to recognise cyber-security threats and take appropriate action.
Communicate. Give employees regular reminders of how dangerous it can be to click links or attachments in emails from senders they may not be familiar with.
Make people accountable. Make sure every staff member is aware of their own role and responsibilities in protecting your business's data.
Set up new starters. Determine what new starters need in terms of access to data, systems and devices and set them up accordingly.
Process leavers. Have a policy in place for what to do when people leave your company, including promptly resetting passwords.
Review returned devices. Wipe or securely destroy data where necessary.
Stay up to date. Scan your network and devices frequently and check for necessary upgrades. Install any updates or patches from trusted software providers as soon as possible.
Prepare for emergencies. Devise an emergency response plan that sets out what you'll do if you suffer a data breach.
Back up data. Do this regularly so you can easily restore it if the worst happens.
Get a free 30-day trial of our integrated security platform, the Business Hub with Antivirus and Patch Management. Easily manage both security solutions centrally from one location for multiple devices.
Avast Business provides simple yet powerful security solutions for SMBs and IT service providers. Backed by one of the largest, most globally dispersed threat detection networks, the Avast Business security portfolio makes it easy and affordable to secure, manage, and monitor business devices.
The result is superior protection that businesses can count on. For more information about our managed services and cybersecurity solutions, visit www.avast.com/business.