Hacked off?

This sector is dominated by SMEs and might seem an unlikely target for cyber criminals. Yet the British government estimates that 33% of SMEs suffered a cyber attack from someone outside their business last year. The worst security breaches typically cost the victim between £65,000 and £115,000 and could put a business out of action for ten days.

What whose figures don’t quantify is the long-term damage done to a company’s reputation. If a customer can’t trust you to protect their data, why should they trust you to provide a service?

With no sign that businesses are going to revert to analogue any time soon, the threat is only going to increase as every aspect of business becomes digitised. Yet many SMEs underestimate the danger, wrongly believing that only companies that take payments online are at risk and that hackers just aren’t that interested in small firms.

It is true that attacks on big companies – multinationals, global brands, corporate behemoths in finance and oil – deliver commensurately greater rewards for cyber criminals but, having been stung, these companies are investing billions in sophisticated cyber defences.

The inevitable result of such mega-investments is that cyber criminals have started looking for soft targets, organisations that fall into the category of ‘low-hanging fruit’. Automated attacks on thousands of small companies with less sophisticated defences can yield a huge reward. For many cyber criminals, SMEs are not the ultimate target but a means to an end – their data may offer an easier entry into systems run by larger companies they supply or buy supplies from.

In other cases, cyber criminals develop a new kind of attack and, when it works, use it repeatedly against similar targets. In the US, for example, at least a dozen small police forces have had their computer files taken hostage this year. Many have reluctantly paid a fee in Bitcoin to get their files released after being attacked by programs the industry has dubbed ‘ransomware’. As Gillian Tett asked recently in the ‘Financial Times’: “We think the police are the people who keep us safe. But if cyber hackers can attack the police, who is secure any more?”

The short, terrifying answer is no one. Yet defending your business against cyber attacks doesn’t need to be expensive, time-consuming or incredibly complicated. Protecting your company against hackers isn’t about investing in the most complex, formidable, state of the art firewall you can afford. The war against cyber criminals really begins with the judicious application of common sense.

SMEs can do a lot of simple stuff that will significantly reduce their risk. The government’s experts say that the most common problems businesses face come from staff exposing IT systems to malware by plugging in external devices and USB sticks, opening infected emails and using unsafe websites (which contain malicious code). Simple passwords and out of date software don’t help either.

The government’s experts recommend that SMEs should, as a matter of urgency, do five things:

1. Train staff so they understand threats. Many experts think this is the single most important thing a company can do to protect itself. As Tony Buffomante, who leads KPMG’s Protection and Business Resilience practice in the US, puts it: “The real challenge is to make cyber security the concern of the entire organisation. For example, this means that cyber security should become part of HR policy.”

Such an approach is, he argues, far more effective than putting blind faith in technology. In one recent US survey, 25% of employees admitted to sending confidential information to the wrong people – and no technical tool, no matter how sophisticated, can protect against such mistakes. That’s why, Buffomante argues: “Cyber security needs to be part of business as usual – as instinctive as locking the office doors at the end of the day.”

2. Keep software secure by always installing updates. In busy working environments, with deadlines looming, many staff might be tempted to decide that installing an upgrade is more hassle than it’s worth – hence the need for training. To be fair, many staff may not even realise how out of their date their software is or that many of the patches issued are to fix security glitches.

3. Install and use anti-virus software. Providers like Sophos offer free software that scans your systems for security risks, removes viruses and protects the network. With many of these programs, you have the option to upgrade if you need more functionality or technical support. It also makes sense to keep all your most valuable files backed up on the Cloud. And remember, just because you’ve bought an anti-virus suite, the job isn’t done. 4. Use complex passwords that include a minimum of three letters and a symbol. This may sound painfully obvious but a trawl of 200,000 passwords recently stolen from a US blogging network found that the most common passwords were “123456” and “password”. You don’t need to be a Moriarty-style criminal mastermind to crack those.

5. Make sure that your most valuable data is only given to those who truly need it. Again, sounds obvious but too many businesses have ignored this – and paid the price.

The good news is that under the government’s new Cyber Essentials scheme, companies can get vouchers providing up to £5,000 to invest in cyber security.

Neither the government nor the experts are saying that these four steps are all you need to do to protect your business, but they may well be enough to repel lower level cyber attacks. The sad truth is that too many companies haven’t even done these basics. The government’s figures suggest that British companies with less than 20 staff spend as little as £200 a year on cyber security.

An organisation’s leaders need to understand the most sensitive data they need to protect and how they can do that. Using decision-support methodologies and tools, companies can quantify and rank the cyber risks and focus their efforts – and investment – accordingly. This will be more cost effective than trying to fulfil the impossible dream of ensuring that every aspect of your business is secure all of the time.

There are many ways your business might be vulnerable. Third party suppliers or vendors can pose a risk. Wireless access points can help hackers gain entry and steal information. Often, hackers will pounce on inactive user accounts left by temporary staff, contractors and former employees. It’s worth remembering too that data isn’t the only target –cyber criminals can hack into any digital device and cause mayhem.

By developing a clearer idea of where your vulnerabilities lie, you are better placed to decide how to protect yourself and how to respond if you are attacked. If you feel that the nature of your business makes you especially vulnerable – if, for example, a lot of data flows between your business, your suppliers and your customers – you may want to join the Cyber-security Information Sharing Partnership, a government-sponsored initiative that shares the latest information about threats.

Focusing on cyber security can make you paranoid. That can be a good thing – it keeps you vigilant and guards against complacency. Yet it can also be a bad thing – too Stalinist an approach can demotivate staff and stifle innovation. A pragmatic balance has to be struck if your business is to go forward. With cyber security, as with so many other aspects of your business, risk is something you can only manage – and not avoid.

To manage that risk sensibly, you need to understand it – and understand it in the boardroom not just in one department. When asked whose responsibility is to ensure that their systems are safe, most small business owners will still answer: “The IT guy”. Yet ultimately, cyber security is everyone’s responsibility – including yours.

The British government has made a wealth of resources available online to help SMEs on: https://www.cyberstreetwise.com.