Business journalist Jenny Brookfield looks into why SMEs are often considered the ‘lowest hanging fruit’
We’ve all heard of any number of high profile cyber breaches. Companies like TalkTalk, Sony and Ashley Madison have all hit the headlines as the victims of embarrassing attacks.
There are many cautionary tales like these but it seems that many small to medium sized businesses still don’t believe that cyber criminality will affect them. According to research conducted for the Department for Business, just 27% of small businesses deemed this a risk worthy of insurance cover in 2015.
Maybe this is because smaller businesses don’t believe they will be targeted. The same study, however, also revealed that 74% of SMEs suffered a cyber breach during that same period – up from 60% on the previous year. On average, the small businesses attacked suffered four breaches during that 12-month period.
It has been suggested that this increase is because small businesses actually present the perfect target for a certain breed of cybercriminal. The type of criminal that doesn’t fancy taking on the sophisticated security measures deployed by large enterprises when there is easy money to be made elsewhere.
This is costing small businesses huge sums. The government survey revealed that the average cost of the worst security breaches falls between £75,000 and £311,000. But simply looking at the monetary value doesn’t paint a true picture of the real impact. You also have to factor in the intangible after-effects of business disruption, the loss of potential sales and intellectual assets, as well as the potential damage to company reputation.
The growth of ransomware
One of the fastest growing attack vectors causing this damage is ransomware – which saw a 35% in 2015, according to Symantec. This type of attack involves criminals breaching a company network and encrypting corporate data, which employees are then denied access to until a ransom is paid.
DS Gary Sirell, a cybercrime protect and prevent officer with West Midlands Police, says criminals will often use ‘spear-phishing’ emails. This approach uses personal information (often obtained on social networks) to appear trustworthy in order to dupe victims in to downloading ransomware. According to research by Verizon, the number of people clicking on phishing emails actually grew from 23% in 2015 to 30% this year.
DS Sirell claims it’s important for companies to train their staff how to spot these threats as ‘prevention is better than the cure’.
“A lot of companies think they need technical solutions, whereas often what is just as important is regular staff training around cyber threats and how to spot phishing emails,” DS Sirrell said. “Obviously the response to cyber threats isn’t just owned by the IT department, or the company directors. It has to be everyone’s responsibility, as anyone can click on the wrong email and leave the whole business vulnerable.”
The weakest link
With individuals often seen as the weakest link in the corporate armoury, criminals are using any number of methods to trick employees in to letting their guard down.
Tactics witnessed by IT managed service provider Icomm Technologies have included the use of cloned email addresses which can look almost identical to an internal company communication. One such incident saw a PA almost conned into believing her managing director had requested a bank transfer. Other techniques have included ‘brute force’ attacks – where hackers try a large number of password combinations to try and gain access to your system.
“Hackers are out there with very heavy resources at their disposal, looking for computers to compromise. As much as any antivirus and anti-malware software is there to prevent these things from getting through, the criminals are adapting,” said Mark Lomas, IT consultant at Icomm.
He adds: “There’s often an attitude among SMEs that it’s not going to happen to them because they’re not a big target, but everybody is a target by virtue of them having IT and being online.
“In the eyes of the cyber criminal you’re just an internet address and if they can get in they will probe to see what they can do, regardless of the size of your business or IT estate. If your system has vulnerabilities they will find them.”
When it comes to ransomware, there are cases where companies have managed to combat this by finding relevant unlock codes on the internet, but it appears most businesses end up paying the ransom. To avoid such incidents DS Sirell advises organisations to consider the implications of any cyber attack and ensure a suitable business continuity and disaster recovery plan is in place.
“Compare it to physical security; you wouldn’t dream of going out without locking your door but in a virtual sense many people don’t do these sensible things,” he said. “It’s becoming too easy for criminals at the moment and they are targeting the low hanging fruit. We have to make it harder for them and force them to invest more time and money into hacking. Hopefully, in the meantime, they’ll be caught.”
Top tips to avoid becoming a victim:
- Adopt the right attitude. Accept that if you have an internet connection you are a potential target. It is essential, therefore, to have a good firewall, anti-virus software and that software patching is kept up-to-date.
- Train end users. Anti-virus can only provide so much of a safety net. It’s important that employees are aware of why they need to have strong passwords and exercise caution when it comes to suspicious emails.
- Put policies in place. Do you have a bring their own device (BYOD) policy protecting the network? Think about who you are granting permissions to and what areas of network they can access.