Showcasing the Best of Welsh Business

SMEs and the New Breed of Cyber Criminal


In recent months cyberattacks have made for big headlines and huge pay-outs for multi-national corporations, creating uncertainty about how best to protect the value small business owners have worked to create.  Here, Ben Russell, from IT consultancy business Intelligent IT Solutions, gives his advice on the best approach……

Rarely does a month go by without a news story on the latest firm to suffer a security breech, whether it’s Yahoo and the massive data breech that led to 1billion user accounts being compromised to poor security at Talk Talk that led to the theft of customer’s personal data. We’re used to hearing these stories about huge corporations and as small businesses, could be forgiven for thinking we’re at less risk of anything like this ever happening to us.

In fact, small businesses may be at greater risk. Recent statistics from the Barclaycard SME Survey show that 48% of small businesses in the UK were targeted by cyber criminals in the past 12 months, 10% of these on multiple occasions.

So why is this? Perhaps because a lot of small businesses grow quickly, and often almost by accident. What starts out as a one, two or three-man band, so to speak, frequently wins more and more work and almost overnight can end up with office space, IT equipment and a handful of employees. This can happen before a business has time to implement a proper, robust IT system and educate staff of the risks. There’s also the common attitude among smaller businesses that they aren’t at risk of hacking, the data they keep isn’t particularly sensitive or that no one would be interested in them.

There’s a particular breed of cyber criminal who actively targets SMEs. Generally, SMEs have more digital assets than a consumer but less than an enterprise. They often have a less complex security posture than enterprise businesses, IT can be out-sourced on an ad hoc basis or be reliant upon one person in the organisation who has a particular interest in it but isn’t actually a specialist.

Today’s cybercriminals make a career out of hacking. Rewards are smaller for an attacker when they go after SMEs rather than big businesses, but the rate at which an attacker can compromise them is much higher – it’s quicker and therefore they are often targeting several organisations at the same time. On top of this, smaller businesses are often used as a stepping stone to get to larger enterprises through the supply chain.

So what are the cyber threats facing small businesses?

Phishing  – one of the most commonly deployed forms of cybertheft, phishing involves collecting sensitive information, such as login credentials and credit-card information, through a legitimate-looking (but ultimately fraudulent) website, often sent to unsuspecting individuals in an email.

CEO Fraud — e-mail scams where the attacker spoofs the MD/FD and tricks an employee of the business into transferring funds to the fraudster.

Hacking –  unauthorised intrusion into a computer or a network to retrieve sensitive data.

Ransomware – Ransomware is software that denies you access to your files or computer until you pay a ransom.

Malware – malicious software introduced to a targets’ computer to cause harm, extract information or provide control to a person outside the organisation.

Inside attack – someone with admin privileges purposefully misusing his/her credentials leave the company on bad terms.

So how should SMEs best manage cybersecurity risks and where do those with limited IT knowledge themselves start and why is it so important?

Firstly, there’s the time factor. IT issues take time to deal with and often take up senior people’s time that could be better spent elsewhere. There’s also the risk of downtime associated with sophisticated cybersecurity breeches, it’s not uncommon for a whole organisation’s IT system to go down for up to a week while experts re-build what the hackers have compromised. That’s no server, email and data for the whole time resulting in frustrated employees and a lot of downtime, not to mention a waste of money.

I’d encourage all businesses to consider the following risks and assess whether their systems are currently protected as well as they could be:

  1. Identify information assets & controls
  2. Identify legal & regulatory requirements
  3. Define risk tolerance
  4. Establish an information security policy
  5. Revise controls where necessary to mitigate or lower risk to acceptable levels.

Actionable steps you can start taking immediately

  1. Endpoint protection – ensure your business has anti-malware and firewall protection on all endpoint devices within your network (Servers/ Workstations / Mobile devices) and it’s kept up-to-date
  2. Implement strong passwords – don’t let employees use obvious choices such as their birthdays or children’s names that can be guessed easily
  3. Use a VPN service when connecting to public Wi-Fi hotspots to ensure your data is encrypted in transit and ensuring it can’t be read if intercepted
  4. Software updates – ensure your software is up-to-date, install critical and security patches released by major vendors (Microsoft, Apple, Adobe etc) to prevent the possibility of known vulnerabilities being exploited by attackers to access your systems
  5. Educate your employees – run some cyber awareness training to ensure staff are aware of threats and the techniques used by attackers. Encourage them not to do anything on public Wi-Fi that you wouldn’t want others to see (online banking, company emails or anything that requires entry of a username of password. If you’re unsure ask them to use a 3g or 4g connection as the data is encrypted
  6. Ensure you have a robust backup or disaster recovery plan in place and that it’s tested on a regular basis (failure to do so could leave you paying a hefty ransom to retrieve your data in the future).
  7. Layered approach – take a layered approach to security controls (implement endpoint protection, firewalls, IDS/IPS solutions, web content filtering, email filtering, data loss prevention) and don’t rely on a single vendor either, mix them up at each layer
  8. Monitoring, reporting & alerting – implement reporting to allow you to review your current security posture, this may typically cover – patch compliance (are systems patched to an acceptable level), antivirus (are all machines’ anti-virus software up-to-date?) and monitor your network using intrusion detection or prevention systems (IDS/IPS). Alerts should be configured to notify you of any possible security incident and a policy should be in place which details the necessary response and actions to take in these events.
  9. Cyber Insurance – consider cyber liability insurance. Standard commercial policies don’t tend to cover cyber risks such as identify theft due to security breaches, business interruption or theft of digital assets from hacking and human error leading to inadvertent disclosure of sensitive information. One of these policies can cover your business with all the associated costs relating to a hack and help you get back up-and-running quicker.

Ben Russell is managing director of Cardiff-based Intelligent IT Solutions