Instances of high profile security breaches have rarely been out of the news this year. From Deloitte to Equifax, big businesses have been hit hard by cyber attacks resulting in the loss of sensitive data, and the financial and reputational fallout that follows.
Nevertheless, it would be wrong to assume that only large, global enterprises are targets for hackers. Many cyber attackers are opportunistic and will follow the easiest route to steal data or extort money through ransomware attacks. For this reason, smaller businesses are increasingly becoming a prime target. At a time when they are more reliant than ever on access to cloud services and systems, just one serious security incident can have devastating consequences for the company’s bottom line. Unlike their larger counterparts, small enterprises make for a soft target as they can lack the resources to implement effective security measures, which means that the basics can go unchecked.
Ensuring that businesses can defend themselves against the dangers lurking on the internet is a multi-faceted issue. Yet with significant implications for the businesses targeted – and for the wider economy – it’s in all our interests to ensure that small businesses can do more than the bare minimum and operate above the ‘security poverty line,’ a term coined by my colleague and industry veteran Wendy Nather that describes the point below which a company cannot effectively protect itself from cyber security threats.
The soft target
From data compiled by insurance company Zurich, some 875,000 SMEs across the UK have been affected by a cyber-attack over the last 12 months. Attackers will take advantage of weak cyber defences to steal data or extort money through ransomware attacks, and the losses incurred from the business downtime and cost of recovery can be more than some businesses can withstand. It has been reported that more than half of SMEs that are hit by a cyber attack do not recover. The wider economic implications of this are significant with FSB research showing that cyber attacks on small businesses now cost the economy over £5 billion a year.
Findings from our own research suggest that many smaller businesses are struggling to implement even the basics when it comes to cyber security. More than 36 percent of UK small businesses, report that they consider themselves to be operating at, or below, the ‘security poverty line.’
Protecting against attacks
Putting adequate protections in place requires time and money, but our research points to the fact that the issue isn’t simply down to budgets. The dynamics are more complex; knowledge and awareness also play a large part in determining how smaller businesses go about protecting themselves from security threats. In fact, small businesses perceive that lack of knowledge on combating cyber threats is a bigger issue than either money or employee awareness.
Visibility is also essential: if you’re not monitoring for attacks then you simply won’t be aware of the scale of the problem, and incidents will go undetected. Anecdotal evidence shows that small businesses can be daunted by the task of protecting against cyber crime. The thought is, if the largest organisations, with the biggest budgets can fall victim to attacks, then what hope is there for them? There’s also a perception that, as a small business, they don’t have anything of value to a cyber attacker – our survey found that 44 percent of small business owners believe that they’re not a target for hackers.
Awareness and education
Government, industry and small businesses all have a part to play in tackling the problem. In recent years, several government programmes have been introduced with the aim of raising the profile of cyber threats and providing advice, such as the Cyber Essentials accreditation, and Cyber Aware. These are all positive initiatives, however there are indications that more can be done to better communicate these programmes, as only 26 percent of small businesses consider the government’s measures effective in making them more cyber resilient.
Although it’s getting harder to spot the tactics used by cyber criminals, small businesses should not feel helpless in the face of heightened risks. There are basic measures that every business – regardless of budget – can put in place. One favoured technique by criminals is the use of social engineering to launch targeted spear phishing attacks, which mimic genuine emails so that the attacker can gain access to usernames and passwords. A good starting point is to train staff on the security basics; draw on information sources to inform employees of the risks and vulnerabilities of these emails, how to identify suspicious links and know not to open them.
Encourage staff to follow good password practice:
- Use complex passwords, which is one of the easiest and most effective methods an employee can use to protect data.
- Do not reuse passwords across websites.
- Add another layer of protection through two-factor authentication (2FA), which increases protection.
- Keep software up to date – criminals can exploit vulnerabilities on out of date software.
- Back up data regularly and encourage staff to speak up if they notice any strange activities on their devices.
These are all low cost, high value measures which require more of an investment in time and commitment than in pounds and pence.
Henry Seddon is vice president EMEA of Duo Security