Reported cyber attacks cost the UK economy an estimated £29 billion per year, and unreported crimes could amount to far more. Fortunately, the efforts that criminals invest into cyber crime are more than matched by individuals and organisations fighting back.
Whilst combating cyber crime remains a burden for SMEs, it need not be excessively expensive. Employing sensible habits and “best practices” go a long way to protecting small companies from attacks.
Technology has redefined the way we communicate and do business. Nowadays, companies of all sizes heavily depend on the smooth running of their IT systems. So it’s imperative that business leaders assess the impact cyber crime could have on their organisation, take measures to prevent falling victim to it, and learn how to recover.
The majority of cyber attacks exploit basic vulnerabilities in IT systems and software. DDoS attacks, ransomware, phishing scams and data dumping are examples of some of the most renowned crimes. While there may be no obvious motivation to target your SME, cyber attacks aren’t necessarily directed at specific victims. Rather the attacker might target multiple -- tens, hundreds, even thousands of -- people or organisations in hope to maximise the chance of ‘success’. Therefore the risks remain the same for any organisation.
It’s estimated that small-medium sized enterprises have a 1 in 2 chance of experiencing a cyber security breach of some kind. On average, this costs SME’s £1,400 and, in the worst case scenario, the company closes down as a result of the losses, disruption and downtime incurred.
As a result of cyber crime, the government is tightening up on data protection requirements for SMEs. From May 2018, fines will be issued from the Information Commissioner’s Office on companies failing to comply with the General Data Protection Regulation (GDPR). This means SMEs may be punished for not protecting data on customers, suppliers and staff. Learn more here.
Essentially, the responsibility is on small-business leaders to invest shrewdly in both cyber security and staff education. Through the remainder of this guide, we aim to make it easier for you to assess the controls and risks within your organisation, and to encourage you to take preventative measures going forward.
There are simple, effective steps you can take to reduce the likelihood of a cyber attack within your SME:
These steps won’t protect your business against every attack, but it will plug the most common security breaches.
Keep in mind that all IT systems become more vulnerable with age. Yesterday’s technology isn’t as as efficient or secure as it once might have been. Be sure to regularly update your systems.
If you have the basics covered, then you should look to protect your business against more specific cyber attacks and security vulnerabilities. The first step is to identify the potential threats, and learn what solutions are at your disposal. Your business will have very different needs to other SMEs; it depends on your line of work, and what role technology plays in that.
We recommend SMEs refrain from spending a fortune on tightening their security, and firstly use the government’s cyber essentials questionnaire, which was launched in 2014. This highlights ways you may have undermined your own security without realising. It helps to guard against the most common cyber threats, and also demonstrates your organisation’s commitment to cyber security.
In the next section we provide advice for preventing the most common cyber threats.
Whilst there can be no such thing as security perfection, with the right tools and mindset, you can defend against the majority of cyber crimes. So what exactly are the most common cyber threats to SMEs, and how can they be dealt with without loss of productivity?
Malware -- short for malicious software -- is software that was created with the intention of infiltrating, damaging or disabling computers. They’re commonly referred to as “viruses”, as they an often spread through a host computer and network. They can be planted on a computer through email attachments, downloads or file transfer.
There are two main types of malware:
Some malware aims to steal information about your activity (e.g. your bank details) -- this is known as “spyware”. Other types of malware produce screen popups with adverts, and is referred to as “adware”. Malware that spreads or replicates itself is colloquially known as a “worm”. You could easily have one or more forms of malware without even realising -- it’s not always obvious.
Malicious software attacks aren’t anything new. They have existed for decades, and according to the Department for Business, Innovation and Skills, more than 25% of UK SMEs suffered a virus or other malicious software attack in 2013.
The same scams in everyday life take place online. Cyber fraud often starts in the form of spam emails or messages, sent to a large volume of recipients in the hope that some people will respond and fall victim. These are commonly known as “phishing scams”.
Most scammers claim to provide a product or service. They’ll often pose as an official source (e.g. a bank, insurance company, financial service, or individual person). Cyber fraudsters’ aim is to trick victims into buying a non-existent product or service from them, or to obtain their payment details.
Some types of fraud are particularly suited to cyber attackers:
Encryption is the process of coding data in order to hide information and prevent its unauthorised use.
Most SMEs already use encryption to some degree. Mobile telephone transmissions are encrypted, as are most modern wireless network transmissions. Some tablet computers and laptops also incorporate data encryption as a standard feature.
In theory, encryption is a great way to go. But basic mistakes can render it useless. Suppose an attacker can easily find or guess the encryption key -- the data is no longer concealed, as desired.
Unfortunately, you can’t assume that everyone surrounding your business will be honest and well intentioned. Trust remains an issue in any sized organisation.
Unauthorised users must be prevented from using IT equipment and gaining access to privileged or confidential data. This applies to current staff, those that have left the company, and especially those outside the company.
Most small-business security breaches are caused by failure to control access.
Computer theft or vandalism is highly disruptive to any business reliant on IT. Replacing expensive stolen or damaged equipment is one matter; crucial data falling into the wrong hands is another.
The Office for National Statistics reveals that computers are now the most commonly stolen item in UK burglaries. This comes as no surprise, as most modern devices are small, portable and have a relatively high resale value.
Worth noting is that more sophisticated criminals are able to set up electronic ‘back doors’ into your devices to remotely access unauthorised data without anyone realising. Thus not every data security breach is set up electronically. Physical factors still play their part in some cyber crimes.
Around 90% of UK SMEs allow their staff to connect remotely to their IT systems. Many equip their staff with privately owned devices, such as smartphones or tablets. Whilst this helps to make the business more flexible and location independent, remote access technology brings additional security issues.
Unlike office computers, physically fixed to the desk within a building, portable devices are small, easily transported -- attractive to thieves. They’re often used to connect to various networks, and to interact with other devices. The chance of infection or data interception, compared with wired systems, is much higher.
Despite this, an estimated one in five businesses do not protect remote devices used by employees.
Traditional wired networks are difficult to connect to without anyone knowing. A wireless network, however, is a more attractive proposition to an attacker. An outsider may be able to connect to the WiFi, beat the encryption, and gain sensitive information -- such as the details of your clients.
Wireless networks are typically protected by encryption and strong user authentication. The WPA2 protocol is the modern standard. Using it should be a priority for businesses and individuals alike.
Cloud computing involves the online delivery of IT services through the internet. It brings many benefits to SMEs including scalability and data loss protection.
There are three main forms of cloud computing:
Cloud service providers usually share their resources between many customers. Their physical locations may vary, too. Therefore the downside to using them is that they reduce transparency, control and protection within your SME.
Note that businesses are still responsible for data protection whether or not it’s stored in the cloud.
Firewalls regulate information that flows between networks. They examine data and decide if it should be permitted to pass on to its destination. Many of the routers provided by Internet Service Providers (ISPs) for broadband connections have built-in firewalls.
Any business with an internet connection is susceptible to network intrusions. Thus a firewall is the a must-have.
By law, you are required to protect data you hold and process about your customers, suppliers and staff. For advice on how to keep personal information secure read the
Staff managers and business owners can utilise the free online cyber security resources from the government: Cyber security Training for Business
The Take Five Stop Fraud website provides advice on how to prevent and deal with cyber fraud. It elaborates on several of the topics we’ve touched on in this post.
You can report cyber crimes to the police via Action Fraud.