In May the security of the official Sussex’s wedding photographers was breached, and private photos were released. This highlighted that it’s not just large companies who can be the targets, and victims, of a cyber-attack. In this article we explore the cyber risks faced by smaller companies, and how they can protect themselves from the threat.
A photographer’s skills lie in capturing great moments which last forever, rather than data security. The unauthorised release of the Sussex wedding photos however showed it’s still important that they think about cyber security – and the harmful potential of a data breach of even a small company.
The paparazzi and cyber extortionists would love to steal un-released photos. While the rich and famous often have great physical and digital security, their supply chain represents a great opportunity for people looking to get hold of these photos. Many in that supply chain – whether they be photographers or others, may be smaller or independent companies without the means to invest in dedicated cyber-security resources.
It is unlikely the cause of the breach will be published, but as often the case, it was probably not difficult – the common method used in the past has been targeting the email account or cloud provider and then password phishing or guessing to gain access.
Small companies supplying the rich, famous and powerful are not hard to find – their names are known, and are often listed in the press. The easiest breach will likely start with a criminal trying to socially engineer the firm by phoning or emailing them. Contacts details will be online, and the end target will be helpful since they’re looking for extra business.
Supply chain audits are usually carried out by FTSE 100 firms or the public sector, not by private households. Supplier assurance usually stops at asking the supplier high level “paper based” questions like “Do you do security awareness training?”, “Do you have an asset & risk register?”, and “Do you have a PCI-DSS or ISO 27001 certification?”. It should go deeper than this but rarely does.
However as we’ve seen, just because they aren’t subject to such routine audit, or don’t have extensive resources, doesn’t make smaller companies any less of a target.
The good news is there is a set of easy and cheap precautions small companies can take to minimise the risk of a data breach. Below we list eight simple steps all small firms can, and should, take, to protect themselves against data breaches.
1. Staff training
Ensure all staff – from the front desk to the CEO, are aware of the risk of phishing, phone ‘blagging’, or socially engineering information from the company; and that all information is considered sensitive, not just passwords. Ensure they know how and where to report suspicious contact.
2. Disk encryption
Most standard operating systems have disk encryption options ‘out of the box’, and additional software is cheaply available. Ensure all computers have the hard drive fully encrypted and protected by more than transparent boot (TPM).
3. USB security
Avoid using USB sticks at all – they are easily and frequently lost. Make sure you know how many you have, where they are, and what’s stored on them. Where they have to be used, fully encrypt (not “encrypt as you fill out”) the devices, or even better, buy FIPS 140-2 hardware encrypted USB sticks with a physical PIN pad.
4. Beyond antivirus
Free ‘standard’ antivirus software is unlikely to be sufficient. Ensure you have up-to-date software from a well-known anti-virus provider, and are using something with more than just signature detection.
5. Email security
Beware of free ‘mass’ email accounts. Stick to well-known enterprise email providers. Ensure you know where your emails are stored, there is enhanced antivirus/antispam protection, and two-factor authentication.
6. Cloud security
Whilst Cloud storage solutions can be a boon for productivity, take extra care to ensure that the login is secure. Do not sign up/login with a publicly known email address. Pick a provider with “zero-knowledge”, two-factor authentication login, and which stores the data in a country with better privacy laws – such as Switzerland or Germany.
7. Secure sharing
Sharing files online can be a risky activity, and a significant source of data breaches. Areas of SME websites where clients can login for file-sharing can be particular targets. For file-sharing, create a private shared folder on your Cloud storage platform. For sensitive material, do not upload to the internet or cloud at all, instead burning to (encrypted) DVDs, physically delivering, and then destroying the DVD once the file transfer is complete.
8. Data disposal
Don’t leave data lying around on DVDs, USB sticks or portable hard drives. Keep any unencrypted storage media (like camera SD cards) in a safe, copy files to encrypted enterprise storage at the first available opportunity, and then ensure the files are deleted off the card. A format will not render the files unrecoverable, so either physically shred the memory card or overwrite it.