Earlier this year, a new report from the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) revealed that 2016 had “been punctuated by cyber-attacks on a scale and boldness not seen before.” Despite the headlines being dominated by cyber-attacks on high profile companies, such as Talk Talk and Tesco Bank, the reality is that SMEs are targeted more often than what large enterprises are.
UK SMEs were targeted 230,000 times each by cyber-criminals in 2016, totalling around £7 million cyber-attacks against SMEs. This costs the UK economy an extortinate £5.3 billion annually.
At one time there was some degree of security consensus that being a small player meant that you didn't matter to cyber-criminals. This notion was quickly debunked by the overwhelming wave of attacks against organisations of all sizes last year.
Hacking is a very real threat to SMEs. The big concern is why are hackers targeting SMEs and what can they do to protect themselves from this growing spectre of cyber-crime?
1. SMEs are perceived as easy prey – toughen up with UTM
Smaller enterprises have traditionally been more complacent about security than their larger peers. Historically, these companies have fallen into the trap of believing that because they are not turning over billions of pounds every year, they won't attract criminals' attention. Unfortunately, hackers are aware of this false sense of security, and increasingly exploit smaller businesses' lack of preparedness and security expertise to their own ends. A recent report by Barclaycard revealed that only 20 percent of small organisations believe cyber-security to be a top business priority, making them the perfect prey for hackers.
Don't be complacent. Smaller businesses are more at risk of successful cyber-attacks than larger ones. SMEs need to ensure that they remain one step ahead of cyber-criminals, and should seek expert advice from cyber-security professionals who can help design and deploy security strategies and policies.
Unified Threat Management (UTM) solutions are a cost-effective choice for smaller organisations looking to protect themselves against cyber-attacks. UTM offers protection against the growing number of threat vectors, and it consolidates threat management under a single-pane-of-glass.
2. Don't be the back door to your partner's network – SIEM can help
Large enterprises often have stronger security in place, including several layers of defence that make it extremely difficult for hackers to breach their networks. However, partners connected to their IT systems may not have the same level of protection; and become the weak link in the chain, allowing hackers to have access to the big player through a “back door”. SMEs may not hold the data the criminals are after, but often they are connected to the big players who do. Targeting and breaching the smaller organisation allows cyber-criminals to steal the valuable data of the large enterprise they're partners with. Should they be successful, not only will the SME's reputation be severely damaged but they risk losing a valuable partner.
Using a Security Information and Event Management (SIEM) strategy, gives SMEs a birds-eye view of their entire IT network. It also allows businesses to mitigate threats as they develop, and provides information that can help strengthen future strategies. More importantly, SIEM solutions prevent SMEs from being the “weak link” in the larger network.
3. Ransom requests can cripple SMEs – strengthen your defences and train your staff
The US' National Cyber Security Alliance found that 60 percent of SMEs go out of businesses within six months of a cyber-attack. SMEs are vulnerable, as they don't reserve large amounts of cash in order to deal with such crisis situations. A ransom request can easily put a small organisation out of business, as they can't afford to maintain significant amounts of downtime without income. According to a conservative estimate from Gartner, downtime can cost firms around £29,829 per hour. It is not surprising that SMEs would rather pay £1,000 for a hacker to release their systems, rather than incur losses potentially running into the hundreds of thousands.
Unfortunately, SMEs are the ones at fault in these situations. The lack of training for staff can cause widespread unawareness of security concerns, leaving the entire company vulnerable to fraud, including email phishing. Recent Node4 research revealed that the biggest internal threat to a business is the human element. Errors made by employees are often the “way in” for criminals. It is crucial that firms invest time and resources in educating their staff regarding the evolving threat landscape and the potential threats of, e.g. opening unsolicited email attachments.
4. Beware of CEO fraud – adopt two-factor authorisation
Fraudsters are constantly developing new ways of getting hold of sensitive information. As security measures on payment methods become more sophisticated, they have migrated towards alternative fraud schemes. Recently, there's been a rise in CEO fraud, and according to Symantec, almost 40 percent of targets of CEO fraud work for SME companies.
The way CEO fraud works is simple. A hacker designs a very authentic-looking email, pretending to be from the CEO of the company, and sending it to a more junior employee requesting sensitive company information or a money transfer. Typically, fraudsters will have researched the company thoroughly, and will use a domain name that appears almost identical to the target's.
By introducing two factor authorisation procedures SMEs can detect CEO fraud quickly and easily, and can protect their organisation from such attacks. For example, if two senior people always have to authorise a transfer, be it of money or of data, there's a lower chance that the “pretend” CEO will get away with the scam.
Educating staff is also key. If everyone knows to double check via a method other than email before completing a specific type of request, it is far more likely that any potential fraud will be identified and avoided. A simple phone call or direct message will verify if the CEO did indeed make the request.
5. “BYOD” creates added vulnerabilities – use Mobile Device Management
“Bring Your Own Device” (BYOD) polices are becoming hugely popular. Arguably they can be a good way of bringing costs down and encouraging more agile and flexible working. While these policies save money when it comes to equipment investment, they can also put additional strain on security. Monitoring the use and sharing of sensitive data on employee's personal devices can be extremely challenging. If valuable data ends up on a personal device, they can potentially provide a back door into the company that is easier and cheaper for hackers to exploit than core systems.
To avoid such breaches, SMEs should have Mobile Device Management (MDM) policies to accompany their BYOD ones. Once a device is connected to MDM software, the organisation can enforce security and compliance policies, grant or deny the device's access to sensitive data and wipe clean a device that has been lost or stolen.
An increasing number of SMEs are becoming victims of cyber-crime as they are being viewed as “easy targets” by cyber-criminals. As there are a lack of adequate and sophisticated security defences in place, a certain number of those reading this article will find themselves and their business the victims of expensive (or potentially ruinous) cyber-attacks.
Contributed by Steve Nice, chief security technologist and CPSA, Node4
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.