When hacking makes the mainstream news it's invariably about some corporate giant that's had millions of users data copied from its systems. As the recent Yahoo incident demonstrates, the sheer number of people affected often makes for a compelling headline.
These breaches are of course extremely serious and fully deserving of coverage. People have a right to know.
However, one side effect of this focus can be the assumption that cyber-crime is something that happens most often to enterprise scale businesses. This is not the case.
SMBs targeted more than ever
The Government's most recent Information Security Breaches Survey found that 74 percent of UK small businesses suffered a security breach in 2015. This continued rise from the 2013 and 2014 figures that shows SMBs are being increasingly and specifically targeted.
This chimes with our own findings in the 2016 Symantec Internet Security Threat Report (ISTR). The last five years have shown a steady increase in attacks targeting businesses with less than 250 employees.
To be clear – this is a deliberate switch in strategy on the part of cyber-criminals. In 2011, the ISTR found 50 percent of spear-phishing attacks were aimed at enterprises with 2,500 staff and up – 32 percent targeted medium-sized businesses, and 18 percent targeted firms with 250 staff or less.
In 2016, this has been turned on its head. Forty-three percent of spear-phishing attempts targeted small businesses, 22 percent medium - and 35 percent large.
Why the change? Well, this is open to interpretation given hackers don't respond particularly well to focus groups. My view is simply that the wider drive to digital enterprise transformation has been a tide that's lifted all the big boats. Thus smaller companies are a softer target – and there's plenty of them to go after.
The nature of the threat
First of all, the costs of a breach are just as severe for small businesses. The Government's Information Security Breaches Survey found they can be as high as £310,800 for SMBs - up from £115,000 in 2014. It's also worth noting that small businesses are equally eligible to be fined up to €20m or four percent of their annual turnover for GDPR non-compliance.
The type of threat SMBs can face is equally daunting. From mobile device and IoT vulnerabilities, web attacks, social media and email scams, they face the same range and complexity as enterprises.
That said, there are two particular types of attacks worth calling out - Business email compromise (BEC) and ransomware, because both are on the rise.
Ransomware has become one of the biggest dangers facing businesses and consumers today. 2015 was a record year, with 100 new ransomware families discovered. The vast majority is crypto-ransomware, which is the most dangerous because it's capable of locking away the victim's files with strong encryption.
BEC scams are low-tech financial fraud in which spoofed emails from CEOs are sent to financial staff to request large money transfers. While they require little expertise and skill, the financial rewards for the fraudsters can be high. Again small and medium sized businesses are the most targeted.
What you can do about it
When looking for a solution, we have to realistically account for the time and resources available.
From a technical point of view – and this was very much the thinking behind the design of Symantec Endpoint Protection Cloud – small businesses need something that can be set up easily, quickly (as in less than five minutes) and be managed simply on an ongoing basis.
Whatever platform you choose, small businesses really need a single solution that can manage all their devices – from PCs and laptops to mobile phones and tablets. As well as servers and multiple operating systems from Windows and Mac / iOS to Android.
Self-service functionality is also vital – so staff can easily and securely add new devices to the network, plus a single product licence should allow for multiple users.
Lastly, choose a platform with a single dashboard that's simple and easy to read. If it offers real-time updates on threat activity and compliance then even better – the threat landscape changes fast and staff don't always have time to stay on top of the news.
The key point here is that the user experience is a security feature. Humans are usually the weakest link in a business's cyber-defences. If something's unnecessarily difficult or time consuming, then it won't get done. That's when chinks in the armor start to appear…
As such, good security is a cultural issue as much as a technical one. Educating staff and encouraging them to say something whenever they see something that looks a little odd, is the most effective way to protect your company against scams.
This means questioning any emails or phone calls requesting actions that seem unusual or aren't following normal procedures - which should include two-factor authentication, especially for financial transfers. Deleting rather than opening suspicious emails, not opening attachments or hyperlinks unless staff are 100 percent confident where they've come from, and regularly backing up files and updating your software.
If the worst happens and something does get through, then hopefully your security vendor will have a dedicated incident response team to help you recover. As always though, for businesses large and small, prevention is far better than cure.
Contributed by Sian John, EMEA chief strategist, Symantec