When it comes to cybersecurity, many startups operate under an attitude of “we’re too small to be targeted,” assuming that hackers will focus on bigger companies with more money and data. Basic security measures like antivirus software are common, but does your startup regularly update and improve its systems, or does this task to protect slip down the priority list? Are all staff briefed on new security risks and how to handle them, or is this the domain of just one person or department?
Startups and small businesses can suffer from a lack of IT resources compared to bigger companies, with less staffing and budget to implement cyberprotection. But with the cost of a security breach so much higher than the cost of security itself, finding space in your budget for employee education can’t be overlooked.
Around 66 percent of small businesses have been victims of cybercrime, and the average SMB will be attacked around four times every two years.
While security system updates can offer your business protection in the short term, cybercriminals are always looking for new weaknesses to exploit; and if your startup is using innovative tech like artificial intelligence (AI) and other machine learning tools, it’s important to make sure employees are aware of potential risks that may arise.
Abuse of AI and machine learning
Artificial intelligence is a common concept in the modern world, but its use can sometimes feel like something from the future. The good news is that already, AI is helping to automate the spotting of potential threats, improving cybersecurity by making threat detection more efficient.
While this is a very useful tool, evidence already shows that the use of this technology for business security is cultivating a response from criminals, who are creating equivalent AI tools. Using machine learning to identify “blind spots” in threat detection systems, criminals can adjust malware files, gradually learning to sidestep detection and creating an opportunity to move malicious files without detection.
Avast’s recent Threat Landscape report notes that sophisticated “spearphishing” attacks using AI have already been targeting organizations around the world, while research using AI-bots found that they were capable of producing phishing scams far more effective than those made by humans.
A 2018 report on AI and the potential for its malicious use agreed that regulatory frameworks need to be established to prevent AI from making hacking easier and more accessible. But until this happens, startups must be aware that any AI they’re using to automate parts of their business is inherently hackable. And by fooling AI networks, hackers can create a range of issues from bypassing your spam filters to misclassifying machine learning, potentially gaining access to (and damaging) your sensitive data.
How to protect against it
- There are a variety of tools that your business can use to defend against malicious attacks, including professional security software that, in essence, becomes your own in-house AI security expert. Avoid corner cutting in data security, and ensure that annual budgeting allows for a standard of software that can keep up with, and outsmart, hacking developments.
- To minimize the risk of human error, for example, where an employee may be fooled by an AI phishing scam, it is vital that all staff are trained to recognize and deal with potential security issues. Good endpoint protection is another level of backup here, which flags and blocks suspicious emails and attachments before they reach your staff. Staff should also know to use IoT devices with caution.
The Internet of Things
Adding online capabilities to everyday devices has become incredibly popular in recent years. Smart lights, locks and thermostats are common in many homes and are expected to reach 31 billion connected devices worldwide in 2018. While these devices continue to rise in popularity and begin to be used in offices, so does the security risk they pose.
Due to the benefits and ease of setup, it seems that security is currently coming second to convenience with IoT devices. With a lack of universal safety standards and 47 percent of IT managers thought to have introduced IoT devices to their network without changing default passwords, these devices could be potentially adding multiple entry points to your network, undermining your security and putting sensitive data at risk.
By 2020, it is expected that as many as 25 percent of cyberattacks will target IoT devices.
While IoT devices continue to grow in popularity, the technology is still in its infancy, so it needs to be approached with care and caution.
How to protect against it
- If IoT devices are required in your business, then it is vital to treat things like webcams and personal assistants with as much care and attention as your laptops and servers. This means using third party security software, applying updates as soon as they are available and changing default passwords. Otherwise, what may seem like an innocent device could become an open door for data breaches in the future.
- Where possible, adding a separate network for IoT devices would keep the devices isolated and away from sensitive data.
- IoT should be included in your IT department’s strategy and basic security procedures. This should be enforced alongside a bring your own device (BYOD) policy for all staff. As each new device is added, the security policy should be assessed and revised to keep it in line with recent tech developments.
Fileless malware uses a very simple process. Rather than utilizing a tool that could be flagged by antivirus software, the aim is to get malicious scripts into a device that will then make use of processes already running on the system. As this code is placed in a device’s memory rather than installed as a system file, it is temporary and difficult to trace.
Due to the low footprint and lack of files to scan, detecting fileless malware can prove to be very difficult. Fileless attacks on businesses are becoming increasingly prevalent. Ponemon Institute’s 2017 State of Endpoint Security Risk Report revealed that 77 percent of attacks against U.S. businesses in 2017 used fileless techniques or exploits.
How to protect against it
- While it is hard to see, fileless malware is not entirely undetectable, you just need to know where to look. To prevent fileless malware attacks, it is vital to make sure that your systems are monitored for changes to regular behaviors. This includes keeping an eye on security logs for abnormally large amounts of data being transferred, which is a strong red flag.
- For malicious script to be placed, the attacker first has to gain access to your system, so make sure that updates are implemented regularly and that endpoint security is in place.
- While macros are useful, disabling all but the essential will minimize the amount of unsecured code on your system. For those that are required, ensure that they are digitally signed so that only approved macros can run.
The future of cybersecurity is an ever-changing landscape and it will continue to evolve as technologies develop and reveal new methods to protect against attacks. At the same time, cybercriminals will be looking for weaknesses in the new systems.
By taking steps to assess and protect all connected devices and technologies inside their network, startups and other small companies can prevent outsiders from exploiting potential gaps in their security.