SMEs that assume they won’t be targeted by cyber attackers are making a mistake that could prove expensive.
Cyber crime has affected most of us in one guise or another. However, more recently there has been a deluge of organised cyber attacks on larger organisations across the globe, impacting operations, infrastructure and customers. But it’s not just larger companies that are at risk from these attacks.
Contrary to popular belief (and recent news coverage), SMEs are now the most targeted segment when it comes to cyber attacks. While one might think cyber criminals would be more likely to focus their efforts on large organisations with richer pickings, that’s not the case. In fact, research from the Federation of Small Businesses suggests it is smaller companies that are subjected to the vast majority of cyber attacks.
There are several compelling reasons for cyber attackers to target SMEs. They’re less likely to have sophisticated defences in place and usually have very specialist data on a specific niche of their market, which can be an attractive target. SMEs can also offer a backdoor route into the larger companies they work with, leaving them rather exposed.
Most common types of cyber crime against SMEs
- Ransomware: Demands money or information in exchange for the decryption of data and removal of malware.
- DoS attack: Attempts to flood a network to disrupt the service and prevent users from accessing it.
- Malware: Compromises legitimate websites by injecting malicious code to visitors who download the infested software.
- Phishing: Dupes users into supplying sensitive information by posing as a trustworthy source (e.g financial provider, retailer).
The risks of cyber crime for SMEs
Did you know, if your company has failed to implement basic cyber security, and your website takes a hit, then the Information Commissioner’s Office can hand you a hefty cyber attack fine?
SMEs are being warned to take note, as a company which recently suffered a cyber attack was fined £60,000 by the ICO. Their investigation found that the SME in question failed to take basic steps to prevent its website being attacked.
Sally Poole, Enforcement Manager at the Information Commissioner’s Office explains: “Regardless of your size, if you are a business that handles personal information, then failure to take responsibility will land you with a cyber attack fine. And with GDPR coming into force next year, a cyber attack fine could become a lot higher.”
Plus, there can be regulatory penalties too. As of next year fines of up to four per cent of a business’s turnover will be enforced for security breaches that compromise customer data.
Protection against cyber crime
Sometimes, SMEs are reluctant to invest resources in cyber safeguards because they assume they’ll need complicated IT overhauls and specialist expertise. But that isn’t the case. In fact, the Government’s advice is that SMEs can protect themselves against attacks with three very simple steps:
- Make passwords as strong as possible and change them regularly.The key to strong passwords – according to the National Cyber Security Centre – is to use three random words to create a strong password. Weak passwords can allow hackers to use a victim’s email to gain access to many of their personal accounts, leaving them vulnerable to identity theft and fraud.
- Make sure all devices in the workplace (including mobiles and tablets) have the latest security software installed on them – including protection such as a firewall, anti-virus scanners and malware removal.
- Always download the latest software updates. To keep one step ahead of cyber attackers, security companies regularly issue updates to their programmes, but if you don’t install these, you may find your company is vulnerable.
This advice may sound obvious, but the FSB’s research shows that just one in four SMEs has a strict password policy in place for staff, and only one in 50 complies with a recognised security standard such as the Government’s Cyber Essentials scheme.
How businesses store, manage and share customer data is a particularly pertinent issue with the implementation of the General Data Protection Regulation (GDPR) on the horizon. With less than a year to go, it’s important SMEs understand the implications this will have, and the increased responsibility they have when it comes to customer data.
The ICO has a range of guidance available to help businesses ahead of the implementation of GDPR on 25 May 2018. This includes website pages dedicated to the data protection reform legislation and an updated toolkit for SMEs that includes a checklist to help organisations with their GDPR preparations.
