The opening of the London Digital Security Centre is a commendable and necessary step in dealing with cyber-crime. By providing one shared resource to offer business education, security and business resilience skills, organisations will be able to better protect themselves from both online and physical environment threats. Interestingly, the Centre has been built with the SME market in mind. With fewer resources than their larger counterparts, SMEs may deprioritise security. This is a mistake as they could be seen as a soft target by cyber-criminals and they have as much or more to lose as a big company.
According to a PriceWaterhouseCoopers survey sponsored by the Department for Business Innovation and Skills, becoming a victim of a hack or breach costs smaller firms between £65,000 and £115,000. Worryingly, the findings suggest that some small businesses could suffer up to six breaches a year. A six figure or even seven figure loss may be an annoyance to a major corporation, but it could be devastating to a SME. To misquote Oscar Wilde, a single breach could be misfortune, but six or seven in a year smacks of carelessness.
The impact of a breach may not be limited to direct financial losses. There is also the cost of time taken to recover from the breach, loss of reputation and customers to consider if the details are made public. One of the challenges in estimating the full extent of damage created by cyber-criminals is reporting the crime in the first instance. Many victim businesses may not wish to make details of their losses public for fear of reputational damage. However, the conspiracy of silence around these crimes only enables cyber-criminals. A business should always disclose details of a breach of customer data to the customers affected, but I believe they also have a responsibility to notify law enforcement even if there is no customer impact so that accurate crime statistics can be maintained and appropriate resources dedicated to cyber-crime.
Two of the most common attacks against SMEs are ransomware, and spear-phishing for financial transfers. Both often start with a malicious email message, so it's vital to have good spam filtering in place, and to treat all unsolicited emails with caution. Employees should be trained not to click on links or open attachments.
Ransomware can also spread via malicious or compromised web sites (“watering hole attacks”) or malicious web advertisements (“malvertising”). Businesses should make sure that the latest patches and updates are applied to operating systems and software as soon as they come out. This is not a guaranteed protection against all cyber-attacks but it will be effective against the ones used by most cyber-criminals who are likely to target SMEs.
A recent spam attack that was specifically targeted at small businesses used fake resumes to try to trick owners into installing ransomware on their computers. Though largely targeted at the US, Cloudmark detected this attack directed at users in fourteen countries, including the UK. This attack involved opening an attachment and then clicking on a link, supposedly to display the resume. The action of clicking on the link would actually install the Cryptowall ransomware.
When a computer is infected with ransomware, all the files on the hard drive are encrypted, and payment of a ransom (usually in the anonymous crypto-currency Bitcoin) is required to decrypt them. Since SMEs are more likely than larger businesses to have mission-critical data on a single computer, they are more vulnerable than larger businesses to ransomware attacks. Regular off-site backups of critical data will prevent losses from these types of attack, as well as hard disk crashes or physical damage to the computer. Businesses can buy ten years' worth of cloud backup service for less than the cost of one ransomware attack.
Spear-phishing is another increasing problem for business of all sizes. A common attack for SMEs has come in the form of a message apparently from the CEO to an employee of the finance department. The message requests a transfer of funds to an external bank account and may be accompanied by a realistic invoice. To limit this type of risk, all businesses should make sure that there is some form of dual factor authentication required for large funds transfers. For example, a procedure requiring a call to the CEO's phone number to confirm the details. The phone number used should be one that is from the corporate directory and not the email requesting the transfer.
Unfortunately, the villains behind cyber-crime are often in other countries, hiding behind layers of anonymous proxies or web services and there is very little that the victims or law enforcement can do once the content of a bank account has been transferred or a ransom has been paid in Bitcoin. Traditional methods of tracking criminals down simply do not work in this case. The only effective way to deal with cyber-crime is to stop it happening in the first place.
Ransomware and financial spear-phishing are generating millions of pounds a year in losses for SMEs, yet these could be prevented by simple procedures of backing up data and confirming large financial transactions. Let's hope that London's investment in Digital Security helps spread the word about these and other security measures to London's thriving business community.
Contributed by Andrew Conway, security researcher, Cloudmark