How worried should your business be about cybercriminals?
These statistics, compiled by Companies House, show that attitudes towards business and entrepreneurialism are changing.Business in the UK is booming right now. Last year alone, 608,100 new firms were launched, an increase of 4.6% compared to the 581,173 that were formed in 2014.
But while it may be a lucrative time to become an entrepreneur, that’s not to say there aren’t a host of concerns and challenges as well.Better access to funding and support is encouraging people to take the step into the unknown by turning their ambitious ideas into trading businesses.
Cybercrime, in particular, is a growing problem faced by businesses. And hackers are causing mayhem. According to government research, 74% of small businesses reported a security compromise last year – a staggering 60% growth from 2013 and 2014. The survey claims that this could be costing businesses from £75,000 to £311,000 (around $95,000 to $400,000, or AU$125,000 to AU$520,000). In comparison, businesses could expect to lose between £65,000 and £155,000 (around $85,000 to $200,000, or AU$110,000 to AU$260,000) the year before.
Clearly, then, if you’re a business owner or are thinking of setting up your own firm – now or in the future – it’s crucial to understand the cyber-security threats posed to SMEs and how to combat them. It’s far from an easy matter to do so, but techradar pro recently caught up with the experts to offer much needed insight into this topic.
SMEs could be neglecting security
As the latest research suggests, hackers are increasingly targeting businesses, particularly smaller and medium-sized enterprises. They see opportunity in the fact that cyber-security isn’t always a top priority for smaller firms. Money is usually tight and goes towards areas such as product development and customer acquisition.
Kevin Timms, co-founder of IT services company Streamwire Group, explains that hackers have been more commonly associated with corporations and governments in the past. But they now see a lucrative opportunity in targeting vulnerable SMEs, where cyber-security has been focused mainly on preventing viruses.
“Cyber-security is a bigger issue for SMEs today than ever before, as attackers who previously targeted large corporations and government bodies now turn their attention to startups and SMEs,” he says. “Small businesses are at greater risk, for the simple fact that they aren’t accustomed to being on the receiving end of such attacks, and may not have the necessary protection or contingency plans in place.”
Timms says attackers are focusing on compromising systems to get hold of valuable data – such as customer details and transactions – for financial gain. Firms ought to act now, he urges. “As the primary purpose of these attacks has now shifted towards stealing information for financial gain, the attacks have become more cunning and thus trickier to protect against. All SMEs – and particularly those who hold customer information – need to be aware of this increased risk and act accordingly,” he said.
“SMEs should consider having an IT security audit carried out, to help them to first understand how well protected their company is, before developing robust prevention protocols and contingency plans with their chosen partner.”
Growing skills gap causing mayhem
Dealing with new cyber-security threats needs a particular skillset. However, for small businesses, hiring dedicated staff to deal with these problems is simply something they can’t afford. But Martin Borrett, CTO of IBM Security Europe, believes there’s still hope. And it comes mainly from the cloud.
“We continue to see a growing skills challenge and gap in the security industry. This challenges organisations of all sizes, but especially SMEs, to hire the skilled staff they need to respond to the ever growing cyber-security threat. The benefit of having dedicated security professionals on staff is simply not one many smaller organisations can afford,” Borrett observes.
“However, there is hope ahead on two fronts. First, growing cloud adoption – for many smaller organisations the level of security available and provided by larger cloud providers is already greater than they can achieve in house for their IT Services.”
Borrett also sees potential in companies going down the outsourced software route, and at the same time, they can develop their skills in the area to ensure they’re never threatened by cybercriminals. He says: “SMEs should consider MSS (Managed Security Services). By outsourcing security to trusted providers with their deep expertise and efficient processes, smaller companies can effectively gain the necessary security skills for their organisation without the higher cost of having someone on staff.”
- Also check out: The cybercriminal skills shortage – and how it could benefit your business
Research best practice
Nick Wilding, head of cyber resilience best practice for Axelos, says cybercriminals aren’t just looking to get hold of rich data. They also target smaller firms based on the relationships they have with large organisations and corporations.
“SMEs continue to be an ideal target for cyber-attackers – either directly to access their highly valued information and services or as a stepping stone to bigger organisations who they partner and work with,” says Wilding.
“Although we all regularly read about high profile attacks on well-known brands, SMEs are far from immune to attack and the impacts of a successful attack can be far-reaching. Hard won reputations, competitive advantage and operational capabilities are all at risk.”
How to stay safe? Wilding recommends that businesses do their research around cyber-security practices, developing tactics and skills to fight potential threats. He continues: “SMEs should actively seek out freely-available best practice guidance and methodologies, such as the Cabinet Office’s 10 Steps to Cyber-Security and the UK Government-backed Cyber Essentials scheme. Adopting the principles outlined in this guidance, that are appropriate to your firm, will help SMEs go a long way to reducing the risk of cyber-attack.”
Team awareness needed
Another problem is the fact that staff aren’t always aware of the threats. Government statistics claim that only 22% of small and 38% of medium-sized firms provide cyber-training to their employees. Wilding says everyone needs to be aware: “We know that any company’s greatest information and systems vulnerability comes from its own employees – the unwitting actions of anyone in the company, regardless of their role or responsibility.
“In fact, the majority of all successful incidents start with someone opening a link or an attachment. So, effective awareness across all your people is an incredibly cost-effective control to manage this risk, particularly in small to medium-sized firms where there are not necessarily the resources to deploy and maintain additional technical tools.”
There isn’t a one-size-fits-all solution
Steve Talbot, from Welsh prop-tech startup Properr, says there isn’t a solution that’ll cover all areas of cyber-security. Because of this, firms should understand the risks that could damage them the most. Working this out will help business owners find the best solutions.
“For me, the key is to understand which types of cybersecurity attack would have the greatest impact on your business. There’s no such thing as a one-size-fits-all security solution, so it’s best to focus on mitigating the most significant threats first,” Talbot says.
“What would hurt you most? Leaking information about your customers, losing control of your company bank account, or your website going offline for a few days? Once you’ve decided what to protect, you can work out how to protect it.
“At Properr, my top tip to the team is to choose one strong password you can memorise, and use it to secure a password safe. Then you can create a different, strong, random password for every service and save it in your safe. And contrary to belief, keeping a strong password for three years is better than changing a weak one every so often.”
Learning from foiled hacks
Rix Petroleum, a family-owned company that supplies oil and other fuels throughout the UK, is one of many businesses that have been targeted by cybercriminals. In January, it nearly lost £750,000 (around $965,000, AU$1.25 million) after fraudsters claimed they were directors at the firm. However, luckily, it had strong security measures in place to stop them.
Rory Clarke, director of JR Rix and Sons, says: “The fraudsters pretended to be directors at our firm, contacted our phone provider, claimed that there was a fault on the line, and asked for our calls to be diverted to a mobile number. Thankfully, we had security measures in place that prevented the request from going through.
“However, unaware that their plan had failed, the culprits then sent three payment transfer instructions to our bank, each with forged signatures of our finance and managing directors. These requests were flagged as suspicious by our bank, and we received a phone call to ask for confirmation. Had their request to divert those phone calls gone through, the bank would’ve granted authorisation and we’d have lost approximately £750,000.
“This opened our eyes to how prevalent the dangers of cyber-attacks are. Therefore, along with a number of other companies, we’ve joined forces with Humberside Police to form the Humber Business Resilience Forum (HBRF), which aims to put cyber-security at the top of the agenda. The forum’s aim is to offer businesses expert knowledge about cyber-security, updates about the latest scams, and information about preventative measures they can take.”
It’s clear that cybercriminals pose a growing threat to businesses, particularly those that have just been set up, and they have a variety of intentions. Whether it be getting access to sensitive company information or exploiting business partnerships, firms need to understand the risks of cybercrime, research ways of keeping safe and implement them as soon as they can.