A Big Problem for Small Business: Why Companies of All Sizes must be Cybercrime Savvy

Written by

On the surface it’s easy to understand why so many people assume cybercrime is something that only happens to big businesses. After all, when hacking makes the six o’ clock news it’s usually because one of the world’s corporate behemoths has had customer data copied from its systems.

As a number of recent incidents have demonstrated, the sheer number of people affected is perfect for powerful headlines. To be clear, these enterprise-sized breaches are indeed extremely serious and fully deserving of coverage – customers have a right to know.

Small Businesses Under Attack

Nonetheless, the most worrying change small business owners should be aware of is the deliberate switch in strategy on the part of cyber-criminals. The Government’s most recent Information Security Breaches Survey found that 74% of UK small businesses suffered a security breach in 2015. This continued rise from the 2013 and 2014 figures shows SMBs are being increasingly and specifically targeted. What’s more, these findings are entirely in keeping with the results of the 2016 Symantec Internet Security Threat Report (ISTR).

In 2011, the ISTR found 50% of spearphishing attacks were aimed at enterprises with 2500+ staff; 32% targeted medium sized businesses and 18% targeted firms with 250 staff or less. In 2016, this was turned on its head. Last year 43% of spearphising attempts targeted small businesses, whilst 22% were targeted medium and 35% at large. As you can see, the last five years have shown a clear increase in attacks targeting businesses with less than 250 employees.

The natural question to ask next is why this is happening. Unfortunately, it is also a hard one to answer, simply because official data on hacker rationale is not easy to come by. The drive for digital enterprise transformation has made larger organizations a harder nut to crack, smaller companies are a softer target and of course there are more of them to attack.

Understanding the Danger

With today’s mobile workforce at firms of all sizes, the types of threat SMBs now face can come from anywhere and everywhere – from mobile device and IoT vulnerabilities to web attacks, social media and email scams.

However, two types of attacks are on the rise and so are worth focusing on specifically: Business email compromise (BEC) and ransomware. Ransomware is now one of the biggest dangers facing businesses and consumers. Last year was a record breaker too, with 100 new ransomware families discovered. The most common form is crypto-ransomware, which is also the most dangerous because it’s capable of locking away the victim’s files with strong encryption. BEC scams are more straightforward financial fraud in which fake emails from CEOs are sent to accounts and finance team members asking for large money transfers. They require relatively little expertise and skill, yet the financial rewards for the fraudsters can be high – and SMBs are targeted most often.

Sadly, the financial impacts of a breach are just as severe – relatively speaking – for small businesses as for large enterprises. The Government’s Information Security Breaches Survey found they can be as high as £310,800 for SMBs – up from £115,000 in 2014. When GDPR comes into force, there’s the additional threat of small businesses being fined up to €20m or 4% of their annual turnover for non-compliance too.

How to Protect Your Business

There are a few key features I would recommend in any modern cybersecurity solution. Self-service functionality is extremely useful. This means staff can easily and securely add new devices to the network, and a single license should also allow for multiple users. A platform that offers a single, simple and easy to read dashboard is also valuable. Ideally it should also provide real-time updates on threat activity and compliance. Staff don’t always have time to stay on top of the news, especially in a rapidly evolving sector like security.

Essentially, it’s important to realize that the user experience is itself a security feature. Humans are generally the weakest link in a business’s cyber defenses. If something’s unnecessarily tricky to do, or takes too long – then it usually won’t get done, and this is when vulnerabilities start to appear. In this way, security can be understood as a cultural issue as much as a technical one. Training your people and encouraging them to speak up whenever they see something that looks a little off is one of the best ways to protect your company.

Good habits include questioning any phone calls or emails requesting unusual actions that don’t follow normal operating procedure, which, by the way should always include two factor authentication – especially for money transfers. As are deleting rather than opening suspicious emails, not opening attachments or hyperlinks unless staff are 100% confident where they’ve come from and regularly updating your software and backing up files.

Ultimately, the solution you choose must be picked according to the time and resources available to manage it – in a small business, both are scarce. From a technical point of view, as per the design of Symantec Endpoint Protection Cloud – small companies need something that can be set up easily, quickly (less than five minutes) and is also easy to manage on an ongoing basis. As such, a single solution that can manage all company and staff devices – from PCs and laptops to mobile phones and tablets – as well as servers and multiple OS from Windows and Mac/iOS to Android, is very helpful indeed.

Prevention will always be better than cure, however if disaster should strike, you should have access to a dedicated incident response team to help you recover. Today, it’s a question of when, not if, your organization will be targeted. However, if you follow these principles, your business will be well placed to defend against and recover from whatever the world may throw at you.

What’s hot on Infosecurity Magazine?