Cyber-attacks and data breaches are the biggest threats currently facing businesses, and small firms are increasingly in the firing line. Figures show that nearly two thirds (61%) of SMEs were hit by an attack last year, while 54% suffered a data breach – both up on the previous 12 months.
Smaller businesses are often seen as a soft target by hackers, due to a lack of security expertise and awareness, plus a shortage of time to implement the right protection. But with the average cost of an attack at over £1,500, not to mention the added reputational damage, it’s time for the issue to move up the business agenda.
So, in the spirit of ‘knowing your enemy’, here are the biggest risks SMEs should be watching out for in 2018.
As the name suggests, ransomware infects your computer and holds your data to ransom, demanding significant sums for its release. Ransomware attacks were big news in 2017, primarily due to the WannaCry virus, which affected more than 200,000 computers across 150 countries and nearly brought the NHS to a standstill. But that was by no means the only incident; Malwarebytes, the anti-malware software firm, saw a 90% increase in ransomware detections for its business customers over the course of last year.
The most common type of ransomware gains access to computers through phishing emails with infected links or attachments, although new tactics sneak the malware in through vulnerabilities in your systems and software, as was the case with WannaCry, which exploited a hole in the Microsoft Windows operating system.
The crime rings that perpetrate these attacks are growing more intelligent and sophisticated by the minute, often working as part of large organisations, or releasing exploits to be spread by other criminal groups. SMEs therefore need to have their wits about them to avoid being hit.
There are a number of actions you should be taking to protect yourself and your business, including investing in a decent firewall and antivirus software which can detect and stop ransomware in its tracks. Also, make sure you install any updates and patches as soon as they’re released, to avoid falling victim to WannaCry-style attacks, and probably most importantly, educate employees on the importance of not clicking on suspicious emails and links. Finally, backing up regularly will ensure if you do get hit, you know that all your files won’t be gone forever.
You may remember back in 2016 that a massive DDoS attack took down various major websites, including Twitter, Netflix, Reddit, and Airbnb. Well, the DDoS threat hasn’t gone away. In fact, figures show that DDoS attacks increased by 64% last year. These nasties work by flooding a company’s servers with requests, so they are unable to cope and simply shut down. That leaves the business unable to trade for minutes, hours or even days, with potentially catastrophic long-term impacts. And it’s not just big businesses that are affected – small firms are often more vulnerable due to their less sophisticated website architecture.
DDoS attacks can be complex to defend against, as they aren’t caused by a piece of malware as with other hacks. The most important thing is to be prepared and have a response plan in place in case you are hit. You could be without a website for a period of time, so planning how you’ll keep your business running and communicate with customers is paramount. There are DDoS defence services out there, which use a process called ‘scrubbing’. While the cost is likely to be high for SMEs, it’s something to consider if your website is absolutely integral to running your business.
You can have all the sophisticated firewalls and anti-virus software in the world, but it still won’t protect your biggest cyber vulnerability – your people. When it comes to cyber-attacks, technology is just part of the picture, with the majority of breaches also involving some sort of social engineering, where your trusting and helpful employees are manipulated to get access to your systems.
A lot of the time, social engineers will ask for information that seems innocuous on its own, but which can be used to devastating effect when combined with additional details gathered from elsewhere. The statistics show that plenty of businesses fall for it, with the Federation of Small Businesses (FSB) estimating that these tactics cost small businesses over £5 billion each year.
One of the most common examples is pretexting, where a hacker creates a false scenario to persuade an individual to divulge sensitive information. So, they might pose as your IT provider, saying they need your log-in details urgently, or pretend to be your bank, telling you your details have been compromised and to confirm your identity. In a lot of cases, the social engineer will introduce a sense of urgency to the situation, so you feel under pressure and don’t have time to think clearly about the legitimacy of the request.
The best way to avoid falling for social engineering is to make sure all employees are aware of what to look out for, and how to respond if they are targeted. This includes always verifying the identity of anybody calling up and asking for information, checking the origin of any suspicious emails, links and attachments, and ensuring any physical visitors to your premises are who they say they are.
Malicious or not, human error is the most common reason for cyber-attacks and data breaches, with studies showing it’s responsible for as many as 95% of incidents. A breach can be caused by anything from employees accidentally sending sensitive information to the wrong email, losing their company smartphone, or using default passwords. In fact, a recent study showed the majority of attacks on SMEs relate to poor password management.
To minimize the insider threat, companies need to be proactive about educating staff, by implementing a cybersecurity policy and holding regular training sessions to ensure everybody is aware of their responsibilities. You can also mitigate the risk by implementing strict user controls and monitoring who is accessing sensitive data, so you can spot quickly if anything untoward is going on.
Getting hit by any of these nasties could mean business downtime, legal and PR fees, and system rectification costs. There are also fines to consider, with the General Data Protection Regulation (GDPR) introducing penalties of up to £20 million or 4% of turnover (whichever is higher) if you’re found in breach of the regulations. So, if you feel like your business could be vulnerable, now is the time to act.
About the author
Ben Rose is co-founder and insurance director at Digital Risks, a specialist insurance provider for digital businesses. With 14 years’ experience in international insurance broking, risk management, underwriting and claims, he is an expert in the cyber risks faced by businesses, including data breaches, cyber-attacks and data protection regulations, such as GDPR.