What should we learn from the infamous British Airways data breach?

Back in September 2018, British Airways hit the headlines when it became the latest in a long list of high-profile organisations to fall victim of a data breach at the hands of malicious hackers. Events like this inflict significant reputational damage on brands involved, while the customers affected face inconvenience, and, perhaps more importantly, stress and uncertainty over what it really means for them personally.

But what about smaller start-ups and growing businesses? Should they all be bracing themselves for similar attacks too? To answer those questions, it is important to first understand who this new mysterious breed of cyber criminals are and what they stand to gain from an attack like this.

A hacker's view on hackers:

It's child's play:

I personally started hacking at the age of eleven. It really stemmed from curiosity and a healthy appetite for mischief. While my first ‘hack' involved a soldering iron and a friend's Sony Walkman, I quickly moved onto modems, dial-ups and into the systems of a couple of companies - notably one of the "big four" consultancy firms, who subsequently recruited me to help set up the UK's first ethical hacking department.

My first forays into hacking were in the early days of the internet, but today there is a generation of talented, curious young people who are growing up living and breathing technology. They are pushing forward what technology is capable of, finding flaws in existing systems and connecting with likeminded people anywhere else on the planet.

Businesses today face the challenge of harnessing this talent in a positive way and make helping their business through "white hat" hacking a more attractive proposition than going down the "black hat" malicious hacking route.

The human target:

Hollywood movies have created a common idea that hacks involve sneaky individuals getting into systems by hacking direct into the machines themselves in the dead of night. This is no longer the case. Hackers today typically don't attack computers directly. Computers are hard targets with solid defences, so instead they go for the weak link - the people who use them!

The vast majority of cyberattacks against companies are human-targeted attacks. Unlike machines, people are vulnerable to psychological trickery. Hackers can directly target people inside a company, and by tricking them into opening emails or revealing insufficiently secure passwords, they can then use tools like spyware and malware to take control of systems from wherever they are in the world.

Infiltrating the inbox:

Email-based hacking is the fastest growing form of cybercrime. It was the mechanism used by Russian hackers in 2016 to compromise Hilary Clinton's campaign HQ, sending emails targeting John Podesta and other high-ranking officials to get spyware into the DNC computer system.

While businesses can invest a lot of money to create secure systems, you are only as strong as your weakest link, and unfortunately these systems are used every day by humans. It is vital that employees are urged to stay vigilant and trained in best practices, because it only takes one cleverly worded email and hackers can attack your system from the inside out.

It's all about the money... or is it?

When we see stories like the British Airways data breach, it is very easy for us to imagine why someone would want access to more than 300,000 people's credit card details. This leads many business leaders - particularly those running smaller companies or firms who aren't directly processing payments - to fall into the trap of thinking "nobody would care about our data" and subsequently take a lax view when it comes to cybersecurity.

While some hackers are of course intent on major financial fraud, that is not the only motivation. Some are intent on little more than mischief, while others might have a personal reason for targeting a particular company, such as "hacktivists" hitting organisations because of a political or social motivation.

What should small businesses be doing to protect themselves?

The reality of today's digital world is that your data is your business. Customers, staff and partners trust you with their invaluable data every day, so you owe it to them to keep it safe from the threat of hackers or that trust could quickly disappear.So, what should a small business be doing, and what mistakes are you likely to be guilty of - here are five top tips:

1. Don't think that it won't happen to you:
Despite the growing threat, many SMEs still believe they're too small to be a target. Whatever your size or industry, your business has data that is valuable.

2. Don't be blasé with the basics: Implement solid password policies, make sure ex-employees don't continue to have access to your systems, dispose of old computers properly and secure all wireless access points.

3. Don't ignore your systems and software updates:

These alerts always seem to pop up just when you're on a deadline, and the temptation is to ignore them repeatedly. But doing so can leave you more vulnerable to an attack. Trusted software updates, whether to your operating system, website or anti-virus software, often include vital security upgrades that will help defend against new and evolving cyber threats. Outdated products just can't protect against the latest risks.  

4. Don't attempt to handle security internally:

Investing in the latest anti-virus software is a good plan, but it's not enough to fully protect your company and data. The complexity of cyber threats calls for expert knowledge. Having trusted security professionals who know how to mitigate problems as they arise, monitoring your systems round-the-clock, is the key to thorough cyber security.

5.Don't forget to engage your staff:

You might have Pentagon-level security plans in place, yet an unthinking action by an employee can bring your defences down in minutes. The majority of data breaches are a result of human error, whether that is emailing an attachment that contains sensitive data to the wrong person, accidentally downloading malware from a suspicious link or just poor password practice, so provide regular training and robust policies for employees.

For more information go to www.uncloak.io