Another return to normal is that the Information Commissioners Office (ICO) is getting busy again and have just fined a charity £10K for a bulk email affecting 150 people which released personal information within it.
So it is perhaps timely to continue the thread I started with an article last week.
That thread highlighted an estimation by ENISA, the European version of NCSC, that estimates that across Europe, 46% of businesses have been hit and a quarter of charities, in the last 12 months. This figure does rise for medium size businesses, to 68%, but smaller businesses are still very much at risk.
ENISA has identified seven categories of challenges faced by SMEs:
- Low cybersecurity awareness of the personnel.
- Inadequate protection of critical and sensitive information.
- Lack of budget.
- Lack of ICT cybersecurity specialists.
- Lack of suitable cybersecurity guidelines specific to SMEs.
- Shadow IT, i.e. shift of work in ICT environment out of SME’s control.
- Low management support.
I referred to the Director of GCHQ above talking about ransomware. Not having a specific backup policy, an endpoint antimalware solution, fully implemented on all types of devices in use and kept up to date, or using obsolete or just unpatched software and hardware, that does not auto update, could seriously jeopardise a company’s critical and sensitive information, sometimes making an SME an easy target for cyberattacks like ransomware.
ENISA has reported that ransomware was the second most common threat to SMEs, and was related to 28% of security incidents. And remember, that is those that have been reported. There is a suspicion that many companies find it easier to just pay up and stay quiet. Two of the biggest weaknesses reported were weak or reused passwords (56%) and unlocked devices (44%).
The challenges faced by SMEs regarding their cyber security preparedness are many and varied, but the clear common underlying issue to all appears to be management of awareness and commitment, alongside managing their cyber risk, which in turn drives budget, allocation of resources and effective implementation of good cyber security practices.
Taking ENISAs second point, every company, large and small, handles a variety of information daily, much of it critical to its operations. Personnel records, customer information, details about production, procurement, financial data, policies, procedures and more. Each of them has a different value to the business but each can be described in terms of monetary value. If a piece of data is corrupted, by accident or deliberately, so that you are going to market with inaccurate information or an inaccurate critical process, then the effects can be devastating. Likewise a loss of personal data can result in a fine as per the charity mentioned above. This list is far from exhaustive and identifying this information, classifying it in accordance with its value, given it a risk score, may seem laborious and difficult, but it is in fact the bed rock of the protections you need to put in place.
In the coming weeks I’ll tackle the other 5 categories arrived at by ENISA.