12 July 2017
The Federation of Small Businesses estimate that the annual amount of cyber-attacks against smaller businesses to be around seven million and the cost to the UK economy to be a staggering £5.26 billion. SME’s are targeted in several ways, with spear phishing and ransomware attacks proving to be one of the most popular and extremely successful methods used to extract money.
What is spear phishing?
The spear phisher thrives on familiarity. They have undertaken many weeks or even months of research, they know a great deal about you. They know your name, your family, your hobbies and interests, your email address. The salutation on the email message is likely to be personalised: "Hi Bob" instead of "Dear Sir." The email may refer to a "mutual friend." Or to a recent online purchase you've made. Because the email seems to come from someone you know, you may be less vigilant and give them the information they ask for. And when it's a company you know or even someone purporting to be your own CEO asking for urgent action like paying an attached fictitious invoice, you may be tempted to act before thinking. We know of at least one Haines Watts client who has fallen foul of this type of attack and lost around £100,000.
What is Ransomware?
Ransomware is a type of malware that encrypts all files on a computer and demands money, usually untraceable bitcoins, for them to be unlocked. Not only does this cause a monetary loss by payment of the ransom, it also causes severe business disruption and in 36 per cent of attacks, ransomware victims report loss of business income due to the attack. This type of cyber threat is expected to increase significantly in 2017. The examples above target specifically the SME, the other threat, that is even more dangerous targets the SME to get to a bigger prize further up the supply chain. The impact of a successful attack on an SME’s reputation and sales cannot be under estimated. If an SME’s weak security leads to a breach at a major customer then this can be catastrophic for an SME.
What can I do?
In recent years, the average SME has gone from using predominately simple stand-alone IT systems to embracing more interconnected systems. From bring your own device (BYOD), off-site working to the cloud, small businesses have never been more connected to their clients and therefore more open to threats. Whilst these technologies can provide huge business benefits, their procurement and use need to be carefully managed. You are buying from an appropriate supplier, the technology is right for your business needs, you have the right controls to effectively protect your business.
Why are so many SMEs still dismissing the possibility and impact of a cyber-attack?
SMEs usually have a markedly different view of business risks that means priorities for SME’s are different to larger corporates, such as ensuring that critical orders are delivered on time while maintaining margins in very tough, competitive trading environment. These pressures all mean that cyber risk is often not seen as a critical business risk by SMEs. The problem is SME’s don’t take Cybercrime that seriously until it’s too late. Particularly in the UK, Cyber criminals are taking advantage of the central role SMEs play in the wider economy and exploiting their online weaknesses to gain access to bigger targets.
Many larger companies have moved from paper based systems for communication, orders and payments to electronic communications for speed, ease and to reduce their carbon footprint. For an SME to ‘do business’ with them they will have to be connected electronically to the IT systems of larger business partners, the companies that the cyber criminals really want to get at.
Data held by SMEs is becoming increasingly valuable to cyber criminals. According to recent research released by Barclaycard, 48 per cent of SMEs fell victim to at least one cyber-attack last year and 10 per cent were targeted multiple times. Make sure you’re not one of the many SME victims of cyber-attack by taking action now.
How do you find out the level of risk to your business? Take our quick check to see you much your organisiation is at risk
Haines Watts is here to help and give you advice to see if you organisation has a cyber risk, please contact our cyber security expert: Steve Connors: swconnors@hwca.com