Large businesses who are hacked and attacked make the headlines, although it is becoming less of a story the more companies that have their security breached. But you do not tend to hear much about the small businesses. This is not because they are avoiding breaches. In fact The Department for Business, Innovation and Skills “2015 Information Security Breaches Survey” reported there has been a 60% increase in security breaches for small UK businesses compared to 2014.
That translates into every 3 in 4 small businesses experiencing a security breach in the UK this year.
Small Businesses Ransomed
In Blackburn a member of staff of a vehicle hire company, MNH Platinum, unwittingly clicked on a link in a ransomware email which then encrypted over 12,000 files on its company network. A ransom demand followed – the criminals would decrypt the company’s files in exchange for more than £3,000. With the virus proving impossible to remove without the loss of crucial company data, the firm had no choice but to pay up.
“We were completely unprepared for a cyber breach simply due to a lack of awareness of the magnitude an attack of this type could have through mistakenly clicking a link in an email,” says managing director Mark Hindle. “I am thankful that we had a lucky escape, in that I was able to retrieve the documents that are crucial to the running of the business, albeit at a price.”
Another business that recently had its customer data held to ransom was a Scottish hairdressers, whose appointments book was hacked. Ellen Conlin Hair and Beauty salon said they decided to pay the 1,000 euro ransom in bitcoins as it could not afford to lose the business this hack would create.
These appear to be relatively cheap escapes. The UK government estimates that the vast majority of digital attacks cost businesses between £75,000 and £311,000.
According to NTT Com Security’s 2016 Global Threat Intelligence Report, 77% of organisations have no capability to respond to cyber attacks.
New research from Barclaycard supports this by showing only 20% of small businesses are considering cyber security as a top business priority. Worse than that 10% had never invested in improving the security of their website, putting them at risk from cyber crime. This omission by small businesses is telling in the revelation that almost half (48%) had been hit by at least one cyber attack in the past year, with 10% experiencing more than four attacks.
Paul Clarke, Product Director at Barclaycard, said: “Businesses of all sizes face a constant and growing threat from cyber crime. As our research shows, many small businesses are failing take the necessary precautions, either because they don’t know how to protect themselves or, more worryingly, because they don’t think they need to. Cyber security is not a one-off investment that can then be forgotten about, especially as criminals are becoming increasingly sophisticated in the way they target businesses.”
The results are clear: no business is too small to evade a cyber attack or data breach.
Small Businesses Targeted
A new Ponemon report “2016 State of Cybersecurity in SMB” states that the most prevalent attacks against SMBs (Small and Medium-sized businesses) are web-based and phishing/social engineering that negligent employees or contractors inadvertently cause.
Web and intranet servers are considered the most vulnerable endpoints or entry points to networks and enterprise systems. The challenge of not having adequate resources may prevent many companies from investing in the technologies to mitigate these risks. Web application firewalls, SIEM, endpoint management, network traffic intelligence are not considered very important in current security strategy. At a minimum anti-malware and client firewalls are considered the most important security technologies.
Experts are warning that not only are small businesses now firmly in the cross-hairs of cyber-criminals, they are fast becoming their favoured target – and are often woefully unprepared.
Security Breach Certainty
The Department for Business, Innovation and Skills (BIS) commissioned the “2015 Information Security Breaches Survey” to provide greater awareness amongst UK business of the risks, insights on how companies are mitigating those risks (or not) and key trends.
The survey showed that the number of security breaches has increased, the scale and cost has nearly doubled. Eleven percent of respondents changed the nature of their business as a result of their worst breach.
Nearly 9 out of 10 large organisations surveyed now suffer some form of security breach – suggesting that these incidents are now a near certainty. Businesses should ensure they are managing the risk accordingly.
Despite the increase in staff awareness training, people are as likely to cause a breach as viruses and other types of malicious software
Jens Puhle, UK Managing Director of 8MAN, found to be the most surprising take-away from the government-backed research:
“One of the most shocking revelations in the Government’s research is the fact that just 10 per cent of UK businesses have an incident management plan in place. Given that two thirds of large businesses were breached this year alone, organisations need to think in terms of “when”, not an “if” they are attacked, and it is vital they have a solid response plan in place.
Ponemon “2016 State of Cybersecurity Small and Medium-sized Businesses” http://www.ponemon.org/blog/smbs-are-vulnerable-to-cyber-attacks
The Department for Business, Innovation and Skills (BIS) “2015 Information Security Breaches Survey”