As a cyber and data security professional working with a broad range of businesses what is blatantly apparent is that small businesses need to upgrade their awareness of and abilities in cyber security if they are to avoid becoming the ‘soft underbelly’ of the UK’s fights against hackers and cyber threats.
Media Reports about security breaches resulting in data loss and other compromises to corporate data integrity usually only make headline news when big name brands are hit. Resulting concerns about reputational damage have spurred many medium-to-large enterprises (MLEs) into reviewing their cyber security strategies and redoubling their efforts to ensure that their ICT is properly protected, or at least as protected as possible within the context of their risk assessments and IT budgets.
Meanwhile for small-to-medium enterprises (SMEs), to assume that the scale of threat and risk are of a radically different magnitude. To think that hackers, cyber-criminals and other malevolent online agents are only interested in going after larger players, is a mistake. Recent market evidence indicates that SMEs are being increasingly targeted by online threats, because:
- They are perceived as being innately more vulnerable.
- All too often, micro businesses and small businesses plan their IT security under the misconception that their networks and data are already pretty safe because they don’t have anything that would interest cyber attackers.
This is a huge mistake. Part of the problem stems from a lack of understand surrounding their data assets on the one hand, and the motivations of hackers, cyber criminals on the other, combined with a misconception that all cyber security solutions are expensive and beyond what their budgets might allow.
However with cyber-attacks and data breaches being the biggest threats currently facing businesses, its small firms are increasingly in the firing line. Figures show that nearly two thirds (61%) of SMEs were hit by an attack last year, while 54% suffered a data breach – both up on the previous 12 months.
Smaller businesses are often seen as a soft target by hackers, due to a lack of security expertise and awareness, plus a shortage of time to implement the right protection. With the average cost of an attack at over £1,500, not to mention the added reputational damage, and potential for fines and sanctions imposed on business by the regulatory authorities, it’s time for the issue to move up the business agenda.
So, in the spirit of “knowing your enemy”, here are the biggest risks SMEs should be watching out for in 2018.
As the name suggests, ransomware infects your computer and holds your data to ransom, demanding significant sums for its release. Ransomware attacks were big news in 2017, primarily due to the WannaCry virus, which affected more than 200,000 computers across 150 countries and nearly brought the NHS to a standstill. But that was by no means the only incident; Malwarebytes, the anti-malware software firm, saw a 90% increase in ransomware detections for its business customers over the course of last year.
The most common type of ransomware gains access to computers through phishing emails with infected links or attachments, although new tactics sneak the malware in through vulnerabilities in your systems and software, as was the case with WannaCry, which exploited a hole in old and no-longer supported versions of Microsoft Windows operating system.
The crime rings that perpetrate these attacks are growing more intelligent and sophisticated by the minute, often working as part of large organisations, or releasing exploits to be spread by other criminal groups. SMEs therefore need to have their wits about them to avoid being hit.
You may remember back in 2016 that a massive DDoS attack took down various major websites, including Twitter, Netflix, Reddit, and Airbnb. Well, the DDoS threat hasn’t gone away. In fact, figures show that DDoS attacks increased by 64% last year. These nasties work by flooding a company’s servers with requests, so they are unable to cope and simply shut down. That leaves the business unable to trade for minutes, hours or even days, with potentially catastrophic long-term impacts. And it’s not just big businesses that are affected – small firms are often more vulnerable due to their less sophisticated website architecture.
DDoS attacks can be complex to defend against, as they aren’t caused by a piece of malware as with other hacks. The most important thing is to be prepared and have a response plan in place in case you are hit. Depending on where a micro or small business website and email service is hosted you could be without a website for a period of time, especially if it is hosted in-house on your own servers. Planning how you’ll keep your business running and communicate with customers is paramount. There are DDoS defence services out there.
While the cost is likely to be high for SMEs, it’s something to consider if your website is absolutely integral to running your business’ and is hosted in-house.
As a micro or small business it is more than likely that your website and email services are hosted externally by a hosting service provider – as part of your planning, it would be a good exercise in your Due Diligence and find out what your hosting provider might have in place to protect against or mitigate such an attack.
You can have all the sophisticated firewalls and anti-virus software in the world, but it still won’t protect your biggest cyber vulnerability – your people. When it comes to cyber-attacks, technology is just part of the picture, with the majority of breaches also involving some sort of social engineering, where you, or your trusting and helpful employees are manipulated to get access to your systems.
A lot of the time, social engineers will ask for information that seems innocuous on its own, but which can be used to devastating effect when combined with additional details gathered from elsewhere. The statistics show that plenty of businesses fall for it, with the Federation of Small Businesses (FSB) estimating that these tactics collectively costs UK small businesses over £5 billion each year.
One of the most common examples is pretexting, where a hacker creates a false scenario to persuade an individual to divulge sensitive information. So, they might pose as your IT provider, saying they need your log-in details urgently, or pretend to be your bank, telling you your details have been compromised and to confirm your identity. They might also pretend to be from companies such as Microsoft, PayPal and others, where the primary motivation is theft of data and/or fraud. In most cases, the social engineer will introduce a sense of urgency to the situation, so you feel under pressure and don’t have time to think clearly about the legitimacy of the request.
The best way to avoid falling for social engineering is to make sure that you (if you are a micro-business) and all your employees are aware of what to look out for, and how to respond if they are targeted. This includes always verifying the identity of anybody calling up and asking for information, checking the origin of any suspicious emails, links and attachments, and ensuring any physical visitors to your premises are who they say they are.
Malicious or not, human error is the most common reason for cyber-attacks and data breaches, with studies showing it’s responsible for as many as 95% of incidents. A breach can be caused by anything from employees accidentally sending sensitive information to the wrong email, losing their company smartphone, or using default passwords. In fact, In a recent study of 1000 UK & US SME’s it was found that the overwhelming majority of cyber attacks were a result of poor password management and weak passwords.
When you consider that passwords are the first layer and in some cases the only layer of protection when accessing systems and online accounts from unauthorised access, it never ceases to amaze me that some people not only use weak passwords, but that they recycle them across multiple business and personal accounts.
To minimize the insider threat, businesses need to be proactive about educating staff, by implementing a cyber security policy and holding regular training sessions to ensure everybody is aware of their responsibilities. You can also mitigate the risk by implementing strict user controls and monitoring who is accessing sensitive data, so you can spot quickly if anything untoward is going on.
Getting hit by any of these nasties could mean business downtime, legal and PR fees, and system rectification costs. There are also fines to consider, with the General Data Protection Regulation (GDPR) introducing penalties of up to £20 million or 4% of turnover (whichever is higher) if you’re found in breach of the regulations. So, if you feel like your business could be vulnerable, now is the time to act.
Sure fire ways to protect your business
- Invest in a decent firewall and antivirus software which can detect and stop ransomware in its tracks.
- Make sure you install any updates and patches as soon as they’re released, to avoid falling victim to WannaCry-style attacks.
- Educate yourself and your employees on the importance of not clicking on suspicious emails and links.
- Back-up regularly, this will ensure if you do get hit, you know that all your files won’t be gone forever.
Till the next time ~ Stay Safe
… and if you need help or advice, Ares Risk Management is here to help!