Don’t bet your SME business on a hunch that the cybergangs will leave you alone. The overwhelming odds are that they have already attacked you at least once and that they will attack again in 2019, writes David Kay
The 2018 CyberSecurity headlines were bold and gloomy. Some big names got the sort of publicity that any company CEO would dread.
Pride of place has to go to Marriott International who announced in November 2018 that the data of 500 million customers was stolen. Yours truly may well be among them!
Even though the hack started in 2014 and the infected systems originally belonged to Starwood and were acquired by Marriott in 2016, the Marriott brand nevertheless was impacted and the board received strong criticism. Mitigating factors count for very little when clients’ personal data is compromised, especially when the credit card numbers and expiration dates of 100m of those customers fall into the wrong hands.
Major airlines, banks, retailers and social media companies all made the front page in 2018, for the wrong reasons. But the plain fact is that your company doesn’t need to be a household name to suffer a hack. And arguably the impacts of a cybersecurity breach can be far more damaging to a small company’s prospects.
The primary lesson learned from 2018 is that you don’t need to be an international company to suffer a cyberattack and the smaller you are, the harder you can fall.
Line of attack
Nearly half (46 percent) of UK businesses experienced at least one cybersecurity breach or attack in 2017. These were the findings of a government survey conducted last year and published in November 2018 as part of the National Cyber Security Programme.
The report also found 66 percent of cyber attacks occurred in SMEs, 45 percent occurred in micro businesses and 41 percent in large companies.
“SMEs need to fully appreciate the threats they are under, but again the evidence shows that many are adopting a blasé attitude”
These statistics make it clear that SMEs need to pay far greater attention to their cybersecurity provision and practices. They have the critical mass to make a ransomware attack worthwhile for attackers but lack both the skills to prevent themselves from getting into trouble and those that can help them get out of it.
Indeed, when Ciaran Martin, head of the UK’s National Cyber Security Centre, spoke in September 2018 of the need for more cybersecurity knowledge in UK boardrooms he may well have had SME boards primarily in mind.
Speaking at the CBI Cyber Conference in London, Ciaran Martin claimed that senior business leaders are labouring under three dangerous misapprehensions; that cybersecurity is: too complex so they won’t understand it, too sophisticated so they can’t do anything to stop it and targeted, so they’re not at risk.
“Yet board members can’t manage risk they don’t understand, so they must become more cyber-literate,” he said.
Martin went on to say, “it’s not enough just to answer ‘we have hired X and bought Y to address the problem…You need to understand what is actually happening – not what activity has been bought.”
The corollary is that the director of every British company needs to be personally engaged in the cybersecurity strategy of his or her business.
The impacts of a breach for SMEs are potentially terminal or at the very least severely harmful for business. As already mentioned there is a huge shortage of cybersecurity skills in the market and people with the right experience will gravitate towards high profile jobs in high profile organisations.
Furthermore, the incidence of passing on malware to other organisations via a company’s supply chain has grave repercussions for all parties and is a growing trend in the security field. The element of ‘island hopping’ from one set of infected systems to another is prevalent in the market.
“The world of cybersecurity is getting ever murkier, gangs are becoming more sophisticated, attacks more numerous and attack vectors more innovative”
In a survey published by Opinium last September, the findings reported that UK business leaders believe their suppliers are obligated to ensure they do not expose them to unnecessary cybersecurity risks.
One in five (17 percent) would take legal action to recover financial losses incurred from a breach as a result of a supplier’s negligence, and a similar number would use the incident to negotiate a further discount. Just three percent of businesses said they would take no action.
As well as the immediate cost to business through legal action or further discount there would be a consequential impact on future business.
The survey showed that victims of cybercrime could find it more difficult to attract new customers, with 35 percent of the business leaders questioned saying they would not work with a supplier they thought would make them more vulnerable to cybercrime, while just over a quarter (27 percent) said they would avoid using a company that had been publicly associated with a major cybersecurity breach.
The research showed that small businesses are most at risk of damaging their reputation and business relationships by neglecting their cyber security obligations. But of the firms surveyed that employ between 10 and 49 people, just over half (51%) had a documented cybersecurity policy and one-third (38%) had insurance in place for breaches and data theft at the beginning of 2018.
In numbers: Awareness of Government cybersecurity initiatives and accreditation schemes
Signed, sealed and secure
The Cyber Essentials programme is administered by the NCSC. They appoint Accreditation Bodies who in turn are responsible for appointing one or more certifying bodies (CBs) to carry out evaluations and to certify organisations which comply with the requirements of the scheme.
The Government’s ten step guidance for cybersecurity was published on the NCSC website in August 2016. All businesses should be aware of these steps and have implemented their recommendations.
The human element in causing breaches is huge with 90 percent of successful hacks starting with user error. Email phishing is the primary tool used by hackers with hundreds of phishing kits being available to cybercriminals on the dark web.
Better organised security training, active employee encouragement to adopt security best practice, running competitions to spot the “phishing email of the day” are ways to highlight the vulnerability of the enterprise to phishing attacks. Applying the latest software patches as soon as they become available is a must.
With the shortage of available security skills in the market SMEs may well choose to engage with a cybersecurity managed service provider to oversee the security operations of the company. This does not remove the responsibility of the company board to ensure they stay secure but a regular dialogue with a managed service provider can help them through the cyber jungle.
SMEs need to fully appreciate the threats they are under, but again the evidence shows that many are adopting a blasé attitude.
In numbers: Organisations that have sought information, advice or guidance
How can you protect yourself? Seek advice from partners, IT service providers, security software vendors and security training advisors. Consider strongly the merits of cyber insurance. Shop around and read the small print.
The world of cybersecurity is getting ever murkier, gangs are becoming more sophisticated, attacks more numerous and attack vectors more innovative. Don’t bet your SME business on a hunch that the gangs will leave you alone. The overwhelming odds are that they have already attacked you at least once and that they will attack again in 2019.