Many small and medium business owners are underestimating their risk of being targeted by cyber criminals, believing they are less of an attractive target than bigger organisations. Worryingly, the opposite is true, as hackers are increasingly focusing their efforts on small businesses. This is because SMEs tend to have lower defences than larger businesses, usually due to lack of financial and human resources.
In June 2016, the Federation of Small Businesses (FSB) released a report, ‘Cyber Resilience: How to protect small firms in the digital economy’, that suggests small firms are unfairly carrying the cost of cyber-crime. The findings show that despite the vast majority of small firms (93%) taking steps to protect their business from digital threats, two thirds (66%) have been a victim of cyber-crime in the last two years.
During this time, those affected have been victims on four occasions on average, costing each business almost £3000 in total. The report suggests that smaller firms are collectively attacked seven million times per year, costing the UK economy an estimated £5.26 billion.
Cyber threats are becoming increasingly sophisticated, requiring higher levels of protection, staff awareness, and vigilance.
The types of cyber-crime most commonly affecting small businesses are phishing emails (49%), spear phishing emails (37%), and malware attacks (29%), although ransomware is rapidly gaining ground.
Types of Cyber Crime
Phishing
It is likely we have all been potential victims of a phishing attempt at some point. Phishing aims to collect sensitive information in order to gain access to otherwise protected data, networks, and systems. Hackers use email, social media, phone calls, and any form of communication they can to steal valuable data. Phishing attacks are not personalized to their victims, and are usually sent to masses of people at the same time. An example might be an email purporting to come from HMRC or a bank requesting you to take action. Links within the email take those who click to a site that may look convincing, but that requests personal data, such as passwords, pins, and sensitive information.
Spear-phishing
This is similar to phishing, but with one key difference. Rather than contacting large numbers of people on mass in the hope that one or two will be fooled, spear-phishing targets specific victims, with personalised messages appearing to come from a familiar source. Spear-phishing attackers try to obtain as much personal information about their victims as possible to make their emails and phone calls appear more legitimate. Attackers will research by searching online and on social media for information about their victim. This makes it more difficult to identify spear-phishing attacks than phishing attacks.
Malware
Malware is essentially any piece of code with malicious intent that typically steals data or destroys something on a computer. Viruses, worms, and Trojan horses are all types of malware. These are often introduced to a computer through email attachments, software downloads, or operating system vulnerabilities.
Ransomware
This type of attack is increasing in prevalence because it’s relatively low-budget, low stakes, and doesn’t require much skill to pull off. Attackers access your files via malware, which may find its way on to your computer if you download a malicious attachment, visit a compromised website, or join an infected network. They then encrypt your files and demand a sum of money to release them back to you.
Password attacks
This type of attack involves attackers attempting to crack your password, often by using software to guess or compare word combinations against a dictionary file.
How Can Businesses Protect Themselves?
Currently just a quarter of smaller businesses (24%) have a strict password policy, four per cent have a written plan of what to do if attacked online, and just two per cent have a recognised security standard such as ISO27001 or the Government’s Cyber Essentials scheme.
In order to minimise the risk of a successful cyber-attack, it is necessary to address two strands – the human, and the technological.
Staff training
When it comes to protecting your business from cyber-attacks, your employees are one of the most important lines of defence. Human error and negligence account for a large proportion of successful cyber-attacks, which could be avoided with improved staff awareness. Training staff on how to select strong passwords, identify suspicious emails and links, and the correct procedures for reporting suspected threats and security incidents, will be beneficial to your organisation’s cyber security.
Technology
Four in five small firms (80%) use computer securing software, and over half (53%) perform regular updates of their IT systems. Both are crucial for ensuring your business is protected. Enabling automatic updates ensures your business has the latest protection against threats to your system’s security.
Businesses should also look to strengthen their protections from attempts to crack passwords by using two-factor-authentication. This provides an extra layer of security by requiring a secondary access key, in addition to a password, before granting access to your systems. Examples might include a smart card, token, fingerprint, or one-time-password sent to another device, such as a phone or tablet.
Resources
It is always best to act before your business is damaged by cyber-crime, but knowing where to start can feel overwhelming to anyone who does not consider themselves a specialist. Fortunately, the government have put together free online training courses to help businesses protect against cyber threats and online fraud. A specific module has been designed for staff in micro, small and medium-sized businesses. It helps employees and business owners understand information security risks and how to protect against fraud and cyber-crime. The training takes 45 – 75 minutes and is available here.
