Imagine you’re a small company that sells various widgets from your shop on the high street and online across the UK.
You think you’re pretty organised, and have systems/policies in place to satisfy standards in health and safety, environmental health, trading requirements and everything else. All is ticking over nicely. Even your social media strategy is up and running. You feel safe and secure…
As usual for the SME business owner, there is always something else that needs sorting – yet one more cloud on the horizon which isn’t likely to go away.
This time it is the threat of “cyber-crime” and the damage it can cause to your business.
It seems easy to dismiss. You think of cyber-crime and cyber security in connection with weird pasty teenagers sitting on their computers all day and night, who eventually manage to hack into the White House, or, huge financial organisations accidentally pressing the wrong button one day and managing to send everyone’s NI number and bank details to criminal gangs overseas.
However, it is more of a threat to UK SMEs than everyone realises. A recent survey by IT security company Kaspersky Lab found a staggering 75% of UK SMEs believe that their businesses are too small to attract the attention of hackers, with a further 59 % of those polled arguing the information they hold is not of interest to cybercriminals.
At a recent conference for cyber security professionals at Coventry University, a MoD spokesman (who wished to remain anonymous) described the growing threat of organised cyber security crime, with the rather desperate overtones of an impending zombie apocalypse.
“There's a threat; they really are out to get you. We know they're out to get you, we really, really, really do know that they're out to get you. We have been there, seen it and watched what's coming out of the networks”.
If you need any further persuading, according to 2013 Information Security Breaches Survey, commissioned by the Department for Business, Innovation and Skills, the cost to UK plc of security breaches is of the order of billions of pounds a year. More than six percent of SMEs reported an ‘extremely serious’ security breach during the past year.
It’s still easy to sit back and say, “What’s the problem? I just won’t click any suspicious emails or visit any “not safe for work” websites…how on earth are these supposed hackers going to cause issues with my tiny widget business?”
Read on…
Six ways YOUR business may be targeted:
- Your internal and internet facing network. How strict is your wireless access? Who has permission to install software, and how regularly do you backup critical systems? Then think about the internet aspects of your business. How regularly are your internet connections’ and web applications’ vulnerability tested? Is your firewall properly maintained? Badly maintained and protected wireless and internet connections can easily let in hackers and other cyber criminals. If it isn’t secure, it could let in the following nasties…
- Malware (phishing, viruses, Trojans, worms, spyware and zombies)– short for malicious software, this is software used to disrupt computer operation, gather sensitive information, or gain access to private computer to find personal data, passwords and financial information. Malware is becoming more sophisticated, with recent malware programs all targeted at siphoning financial information. These people behind the malware programs are cyber-crooks, out to defraud individuals and organizations for financial gain. They steal personal banking information to transfer money out of users’ bank accounts and into their own. They also launch distributed “denial of service” attacks against corporations and ask for money in exchange for an end to the attack – basically, a form of blackmail.
- Revenge Hacking – in business, it’s easy to annoy someone enough to make them want to target you. Disgruntled ex-employees or unsavoury competitors can try to hack into your system to disrupt your company. A SME in the North East of England was the most recent victim of a “revenge hack”. An employee who had been sacked for gross misconduct, hacked into the energy company’s system, and shut down the online shop and website for a full two days, and posted a rather unsavoury message on their website and social media platforms. It took a full two weeks to change the passwords and reset the system, and left a huge dent in the company’s profits and reputation. Other employees might just download databases of information, and share them elsewhere for their own profit, or take them to a competitor.
- Bring your own device to work – More than 95% of SMEs already allow personal devices to connect to internal systems, but few are fully considering the risks. These include personal laptops, smart phones or tablets. These are usually not checked by the company so could be infected with malware that could then infect your network, or could be used to download databases full of sensitive company data. Further risk comes in the form of overloaded networks – the extra capacity needed to run all these devices can overload your networks, letting malware sneak in to cause major problems.
- Make sure your suppliers aren’t your weakest link – The cloud is a technology many SMEs are interested in because of the benefits of flexibility, cost and less money needed for new hardware. But there remain questions over its security. Make sure you use professional, reliable providers and suppliers – check online reviews and reports – otherwise badly created or maintained systems can be easily infected. Perhaps you could even create a short series of questions for your suppliers to check that THEY understand the need for cyber security, and they are doing their best to protect their own business and customers against cyber criminals.
- The employee – As a small business, you probably have less money to invest in in-house IT expertise, preferring to use IT support partners when and where needed. It is the individual employee who could be a problem. You could spend thousands on cyber security, and still be let down by an individual who unwittingly clicks on a “phishing” email, or brings in an infected USB device.
Damage to YOUR business
Anyone of these cyber threats and crimes can cause HUGE problems for your small business. Once your security is breached, and the criminals have gathered information on your customers and their financial information, it will take you a long time to recover. A depressing statistic has reported that 60% of SMEs that have been a victim of cyber-crime fail within 6 months…
Sorry to be negative. But the damage to your brand will probably be irreparable. Your reputation will most definitely be damaged. No one is going to want to shop with a business that is unsafe, and may be unwittingly sending their details to be used by criminal gangs for their own nefarious purposes.
Huge businesses have massive problems once their security is breached (look at the recent Target security breach, the Orange data hacking problem, the Yahoo data breach), so can you imagine what it can do to a small business like yours?
Not only that, but if you supply a larger business, and they discover you’ve been hacked, they’re going to drop you like a hot potato. No one wants to do business with someone who could infect their IT systems. Small companies are vulnerable, and this vulnerability moves up the chain. For example, a small firm may have their email hacked, handing the cybercrime details of the large enterprises that they supply, who the large company’s contact is and what they buy. This information can then be used in phishing attacks on the big businesses.
Small and medium sized businesses need to realise how damaging cyber-crime can be, and how their lack of knowledge and interest makes them especially vulnerable to these criminals.
Alright, alright! I get it! So, how do I protect against these problems?
You don’t have the IT budget of the big companies, but there is still a lot you can do to stop these cyber threats.
- Staff Awareness, education and training- Educate yourself and your employees on the importance of safe and secure computing. Speak to an expert, who can tailor his advice to the size of your company and the threats it may face. Understand what cyber threats are, and the types that you might face, and the problems they could cause. Have regular training sessions to educate the team on best practice – what to do when bringing in their own device and the types of dangerous emails they may receive.
Don’t overdo it though, and don’t be bullied into buying or implementing systems that are far too complicated or expensive for the size or type of business. Speak to a reputable security expert.
- Invest in security – Understandably, smaller businesses might not always have the cash reserves available to support a large investment in IT security. There’s a strong argument that says that one single data breach could cost a firm much more than the initial investment, but sometimes it simply isn’t possible to find the money upfront. In many cases though, a significant improvement in cyber risk can be achieved at little or no expense.
- Card compliance – If you use credit card payments in your business, you have to investigate and understand the PCI DSS regulation compliance. Compliance is a painful process for many SMEs and to many the PCI-DSS payment card regulations are time-consuming and expensive. Often the questionnaires run to 40 in depth questions, and many SMEs don’t have the knowledge to understand what they actually want and need. Make sure you get the right advice. Be wary of any consultant who doesn't first ask you why you need to hold credit card data. There is sometimes no need to actually retain any cardholder details and therefore compliance might not even be necessary. Get the advice of a professional and knowledgeable service provider – it might save you hundreds of pounds.
- Cyber insurance – There is the slow growing market for cyber insurance. Although this isn’t a preventative measure, an insurance policy can be incredibly helpful, especially, should the worst happen – after an incident. Recent research found that only 12% of businesses surveyed had invested in cyber insurance. With the frequency of cyber-attacks increasing, surely the insurance providers need to reach out to start educating educate businesses as to the benefits – especially the vulnerable SMEs?
Cyber-crime is a threat that isn’t going away any time soon and, unfortunately, is only going to get worse.
SMEs need to stop ignoring the problem; they need to face up to this fact, become educated and take action to protect their businesses before they’re caught out.
For a free, no obligation chat about the possible threats to your SME business, and the steps to prevent them, please contact Tim Holman and his company 2-sec on +44 (0) 844 502 2066 or email tim.holman@2-sec.com