Small fish, big lucrative pond: who’s protecting VSBs from cybercrime?

From British Airways to Ticketmaster – it might be the data breaches of big businesses that make the headlines, but the risk of cyberattack is very real for all companies. Despite not being in the public eye or a household name, very small businesses (VSBs) reliance on technology to run their operations efficiently and profitably makes them just as vulnerable to attack as their larger counterparts. And if the worst does happen, it could be crippling.

For big businesses with dedicated IT managers, large-scale and multi-layered IT protection systems are an affordable form of defense. But what happens at the other end of the spectrum, to the VSBs – those with fewer than 50 employees – who often lack the dedicated support and budgets required to safeguard themselves from rising threats?

The data and information they hold might be less in volume but can be just as lucrative and valuable if it gets into the wrong hands. VSBs can also be a prime target for cybercriminals looking to infiltrate a bigger entity, because they can offer a point of entry for a supply chain attack or malware launch which could infect a much bigger fish.

The security of VSBs is vitally important. Just one incident can bring huge financial costs, lost partners’ and customers’ trust, and signal the end of their business if operations are disrupted or halted as a result. Microsoft and Amazon were startups once, and if either of those had been killed off by malware in their early stages, we’d be living in a very different world today! An economy without VSBs is stagnant and dying, because even the smallest businesses help to drive growth, innovation and achievement.

Resource restraints

Data security is constantly in the headlines; whether it’s new legislation, the discovery of new malware, a data breach affecting a global firm or yet another phishing attempt, businesses simply cannot afford to overlook the safety of their data and networks. The potential effects — legal, financial, reputational — are just too great.

But for VSBs, the management of IT in general – and security in particular – often falls to an outsourced IT manager working for the company part-time, or someone internally who does not have sufficient resource or experience to create a high-grade protection system.

In fact, when Kaspersky Lab surveyed over 1,800 VSBs in its B2B IT Security Risks survey 2018, 32% of them said they even entrust cybersecurity to employees who do not have expertise in that area. Bearing in mind that even a single data breach can ruin a small business, that’s quite a frightening figure. In many businesses (also 32%) just one person was in charge of all IT and cybersecurity issues. In other words, resources and expertise are scarce.

Threats to customer and business data

Maximizing operational efficiency through technology is key for growing businesses, but without the right controls in place, strategies to enable this could affect the security of company data and long-term success of the business. The use of BYOD is a great example of this, with many very small businesses (16% in our study) letting staff store personally identifiable customer information on their own devices, which they use for work.

Let’s imagine that a small food shop, with a small but growing customer base that it regularly contacts via e-mail, allows staff to bring their own devices to work which they store sensitive customer data on. The employer can impose security rules and protection during the working day, perhaps via a firewall and VPN, to ensure company and customer data is protected. But what happens to the security of that data when staff leave the office?

How can you be sure that your employees aren’t connecting their device to insecure Wi-Fi, where data or emails can be intercepted? Or visiting a non-work-related website and inadvertently infecting their device with malware. These actions could have disastrous results for the safety of company data.

Any business, however small, that processes client or other sensitive data must comply with GDPR and similar legislation, with any breach proving catastrophic in terms of fines, financial, operational and reputational consequences.

But for many VSBs, the use of mobile devices and remote working is essential to the success of their operation. It can make them leaner, more responsive and save them money. Indeed, some start-ups don’t have an office at all, with other businesses encouraging employees to use their own devices, saving capital investment costs.

Our study of VSBs revealed that more than one in ten operated without a permanent office or place of business and this generates a question in terms of security: if there is no central office, where is security controlled from?

In a similar way, the ability of VSBs to be mobile and/or use remote labor are big advantages, and of the VSBs we spoke to 14% said their business had to be mobile, while more than a quarter (27%) used home-based workers and 18% had workers based at a client’s site.

Yet whenever employees use mobile devices away from the organization’s base, whether they own the device, or the business does, security risks arise. Smartphones and tablets are easily lost or stolen, and malware infections cause downtime at best and the loss of sensitive data at worst.

Ransomware: the biggest threat?

By way of an example, ransomware is one such malware threat that has affected businesses large and small. Despite the recent infection of National Health Service computers with ransomware in the UK making the headlines, it’s not just the domain of enterprise-scale companies. Of the VSBs we spoke to who had suffered a malware incident in the past 12 months, 37% experienced two or three infections by ransomware.

But these statistics don’t really communicate the sheer human misery that ransomware can cause. Of the ransomware victims we surveyed, nearly half (43%) lost data for several days and over a quarter (27%) lost access for weeks.

For a VSB, that kind of loss can be absolutely devastating, and in many cases, if the threat of potentially massive fines from the authorities doesn’t stop them trading, the resulting loss of business trust and reputational damage may do so.

Imagine, for example, an independent clothing store that trades mainly online, suddenly loses access to all of its business data, including stock, accounting and supplier information, due to a ransomware attack. No doubt employees will act immediately to try to limit the damage, but meanwhile, the ransomware is busily spreading to all of the other computers on its network and perhaps even to other businesses and individuals.

Now imagine that this VSB still hasn’t got its data back after four days, then a week. How likely is it that such a business can recover fully from that, if at all?

So what’s the solution?

VSBs face the same threats to their data and IT security as multinationals, yet they lack the resources and expertise needed to acquire and operate the solutions used by big businesses. Indeed, VSBs don’t need that level of provision. They need provision tailored for them, security that transcends that for the domestic market, but is less onerous than that used by large companies.

Kaspersky Lab has the solution. Kaspersky Small Office Security is designed specifically for VSBs, and any employee can administer it – even those without any specialist IT security expertise. The interface resembles that of domestic products deliberately, so users will find it familiar and easy to navigate, even though the functionality is tailored for business and suitably powerful.

Operation via an online console means that users can manage and monitor security from anywhere or even outsource it to an external specialist. This makes it ideal for VSBs that don’t have a main office, or those that use lots of remote devices.

It protects at PC and server level: the System Watcher component that is available for Windows file servers as well as computers protects sensitive business data, blocking the action of exploits and rolling back any activity performed by malicious applications. For example, if there is evidence that a program is performing operations that suggests it has been infected by ransomware, those operations can be blocked and rolled back, preventing further infection.

To secure remote workers and those on the move, mobile security and management technologies within Kaspersky Small Office Security protect sensitive information on employee-owned devices. The ability to locate, lock and wipe missing devices provides peace of mind that company data is not at risk, should devices end up in the wrong hands.

Very small businesses are the lifeblood of our economies: somewhere in the current crop of VSBs are the beginnings of tomorrow’s multinationals, the next generation’s Facebook and Google. With Kaspersky Small Office Security, VSBs have the provision they need, and can turn their attention the most important tasks of all — growth and progress.

Methodology

The Kaspersky Lab Global Corporate IT Security Risks Survey is an annual study into the state of IT security within organizations across the world. This report’s findings are based on 1,800 interviews that took place in 29 countries. Fieldwork was completed in March-April 2018