The true cost of cyber crime and why SMEs are a target
8 min read
26 April 2016
Security expert Emma Philpott has said: “There's a lot of great talk, but most SMEs do nothing about cyber security. It's shocking.” Is your business among those Philpott is referring to?
It may make harsh reading but Philpott was actually simply confirming what most in the security industry will tell you – that SMEs rarely have clear, watertight security processes in place and this presents a rather inviting opportunity to hackers.
SMEs are an absolutely vital part of the UK economy, accounting for 99.9 per cent of all private sector businesses at the start of 2015, with a total employment figure of 15.6m people.
The combined annual turnover of SMEs was £1.8tn, which accounted for 47 per cent of all private sector turnover in the UK. This is hugely positive and has been a significant factor in the nation’s economic recovery. However, that success is also why the security problem is so serious and needs to be addressed.
It isn’t that SMEs are over-confident or ignorant to the threat of cybercrime. They read the papers too and they too see the likes of TalkTalk and Sony suffering the reputational and financial impact of an attack. But this is part of the problem.
The majority of SMEs suffer from a crippling inferiority complex – believing they are not at risk because they are not big or important enough to be a target to hackers.
They are wrong. Millions of consumers share their data with SMEs every day and most large companies work with SMEs in their supply chain. This makes them a very attractive proposition to criminals looking to get hold of valuable data – whether corporate or personal.
Aside from the value of the data they hold, there are essentially two core reasons why SMEs are a very attractive target to a hacker:
(1) SMEs don’t tend to have the same level of security in place as larger counterparts. This means they are not only an appealing option to hackers, they are often an easy one.
(2) SMEs are often part of the supply chains of larger companies and could therefore provide hackers with a way in to attack the “big names”.
Be proactive, not reactive
Security is a complex area. Threats are continually evolving, with cyber criminals increasingly intelligent in their approach to beating defences.
A good example is the increasingly common Advanced Persistent Threat (APT). This is a network attack in which a cybercriminal gains access to a network and stays there undetected for a long period of time. This is very different to threats of yesteryear which were all about getting into a system and making a lot of noise and obvious impact to disrupt the user.
The intention of an APT attack is to steal data rather than to cause damage to the network or organisation. Generally speaking, APT attacks tend to target organisations in sectors with high-value information, such as national defence, technology or digital businesses and the financial industry.
Mitigating against such attacks is very challenging and larger businesses invest in highly complex security systems to protect themselves. SMEs often don’t feel they can afford such investment but the truth is that there are some security measures that can be taken without huge cost.
There are five fundamental security measures every business should have in place. These are: web security with perimeter firewall, application control, network segmentation, IPS (Intrusion Prevention Systems) and email security. If these are put in place, you begin to build a defence with these security pillars as your foundation. As the business grows, further investment can be then made and built on top of this.
Read more on cyber crime:
- Tricks of the trade to avoid cyber scammers
- Eight ways British SMEs can fight hackers and prevent cyber crime
- Ashley Madison hack could be hugely lucrative, but that’s not the only thing to fear
Go small to win big
Having these security measures in place is vital because it’s not only their own data SMEs need to protect. Hackers may attack a SME not to gain access to their customer or corporate data – but with a whole other agenda in mind.
Many SMEs work with enterprise partners as part of a supply chain, helping larger organisations to provide the best solutions to their customers.
For example, a multi-national IT services company may provide a managed service but the chances are some of the solutions within that – perhaps cloud hosting – will be provided by their partner, which will usually be a SME.
However, this also leaves them both vulnerable. Hackers know that SMEs will usually have less robust security in place than the larger businesses and so are an easier target and can use the SME to access the systems of big-name larger brands.
This may well be the most damaging threat to a SME. Not only is their data at risk, but if they are found to be the weak link in a large organisation’s security defence, they will likely lose that partner and the hundreds of customers that come with them. The reputational and financial damage that will do could be catastrophic to a small business.
This is why, alongside having the core five defences in place, SMEs must adhere fully to security regulation. Even if certain regulation is aimed at large businesses and SMEs are not held accountable to them, our advice would be to comply.
We know compliance is a painful process for SMEs – it can be time-consuming and therefore costly. The Data Protection Act and PCI-DSS payment card regulations in particular were criticised for exactly this.
But SMEs must persevere – there is no avoiding compliance, even if it does not necessarily lead to better security. Because what it will always do is protect relationships with larger partners. Coupled with at least a basic level of security, the SMEs become far less attractive to a hacker.
In taking a smarter approach to cyber security, SMEs protect their future – readying themselves for growth and making themselves a watertight part of a cyber defence strategy.
Elsewhere, in attempt to be forward-thinking, House of Fraser launched Twitter campaign so strange that users suspected a hack.
David Navin is head of corporate at web security firm Smoothwall