Despite the growing attention that cyber breaches attract, many small firms still believe this is something that will not happen to them. In fact, they’re increasingly on the receiving end, and the damage can be significant, says Georgina Fuller
Those of us born before 1985 are, according to author Michael Harris, ‘digital immigrants’, the last people to remember life before the internet – a concept that future generations will find almost impossible to grasp. Mr Harris’s fascinating book, The End of Absence, looks at life before and after the mighty web arrived, and at the pros and cons of being constantly connected.
While the digital revolution has undoubtedly brought lots of advantages for businesses and opened up a whole new world of sales and marketing opportunities, it has also put them at huge risk of cyber crime.
A recent report by FSB, published in June, indicated that small businesses are the most vulnerable. The report, Cyber Resilience: How to protect small firms in the digital economy, found that smaller firms are collectively attacked seven million times per year, costing the UK economy an estimated £5.26 billion.
Almost all (93 per cent) the 1,000 members questioned by FSB and survey company Verve had taken steps to protect their business from digital threats. But a whopping two-thirds (66 per cent) had still been victims of online crime in the past two years. During that period, those affected had been victims on four occasions on average, costing each business almost £3,000 in total.
The most common types of cyber crime were found to be phishing emails (49 per cent), spear phishing emails – which appear to be from people you know and which are often directly addressed to the recipient (37 per cent) – and malware attacks (29 per cent).
To help protect small businesses against the dangers of cyber crime, FSB has launched its own cyber insurance policy.
Everybody in FSB is automatically be covered by this market-leading policy, which will give small business owners access to expert legal and technical IT security guidance on problems arising from cyber and data protection risks, along with risk management assistance, helpful guides and advice.
Further information is available at www.fsb.org.uk/benefits/support/cyber-protection and through the UK-wide network of Development Managers.
Mike Cherry, FSB National Chairman, believes the digital economy is vital to small businesses, but that more needs to be done to tackle online fraudsters. “Smaller businesses have limited resources, time and expertise to deal with ever-evolving and increasing digital attacks,” he says.
“We’re calling on Government, larger businesses, individuals and providers to take part in a joint effort to tackle cyber crime and improve business resilience.”
However, when it comes to addressing online threats, complacency and a general ‘it won’t happen to me’ head-in-sand approach are all too prevalent, says Gary Burbidge, Chief Technology Officer at the Association of Accounting Technicians.
“All businesses, whether large or small, are potential targets of cyber crime. The main risk is a failure to prepare for their systems coming under attack,” he says.
This picture of dangerous complacency is supported by recent research. A study of 200 small firms, published in September, found that 86 per cent thought they were doing enough to prevent cyber security attacks, yet over half had knowingly suffered a data breach. Over a quarter (27 per cent) of the small firms surveyed by Juniper Research also said they felt safe from digital threats because they were ‘too small’ to be of interest to online fraudsters.
“Cyber security is a big concern for businesses of all sizes, as an attack could cost millions of pounds in lost data, reputation, time and customers,” says Windsor Holden, Head of Forecasting and Consultancy at Juniper. “Yet our study shows that businesses believe they are far more secure than they really are.”
Business owners should adopt certain basic precautions, such as keeping on top of anti-virus subscriptions, backing up all company information and changing passwords regularly, as you would do with your personal computer or home technology. While such measures may sound obvious, they are things that small firms often overlook, says Ran Berger, Chief Executive of Flat Rock Technology.
“Downloading the right firewall and software is a good place to start, but you’d be amazed at the number of small firms that let their anti-virus subscriptions lapse,” he says. “Equally, many websites are running on outdated and insecure software. The web landscape has changed dramatically over the years, and many ‘grandfather websites’ are not holding data securely.”
If, for example, your website was developed more than three years ago, it is advisable to run a stress test to make sure it’s not susceptible to a Yahoo! Or TalkTalk-style security breach, says Berger. It may also be worth considering hiring an ‘ethical hacker’ to pinpoint any weaknesses in cyber security. “This can be relatively cost-effective and will be beneficial in the long-run,” he says. “Think of it as an insurance policy.”
Spread the word
Another thing that is essential is a decent internal training programme, says Daniel Driver, Head of Perception Cyber Security at Chemring Technology Solutions. “The biggest source of breaches is what’s known as the ‘insider threat’ – someone with authority on a network (usually inadvertently) doing something that opens up a network to malicious behaviour,” he says. “Training staff on how best to control passwords, how to recognise phishing links and how to reduce their own personal risks cuts malware on our customers’ networks by an order of magnitude.”
Cyber security drills should also be as commonplace as fire drills in today’s workplace, according to Mr Berger. “It’s impossible to 100 per cent guard against cyber crime, but if staff can recognise what a scam or breach looks like, it will make it easier to rectify if it’s spotted early,” he says.
“As workforces evolve, staff will naturally become more au fait with cyber security, but until then education needs to form a major part of internal communication. The commercial importance of being ‘cyber-aware’ should never be understated.”
It’s also important for business owners to remember that police and other national crime agencies do not focus on detection, but rather on raising awareness of the risks and the need to self-protect against any attacks, says Patrick Arben, a Partner at Gowling WLG law firm. “Business owners should, therefore, be as proactive as possible in backing up valuable data and realising how to spot suspicious communications requesting confidential information,” he advises.
Mr Cherry, meanwhile, says that, while small firms are understandably focused on building their businesses, they cannot afford to overlook the risks of cyber crime in the process. “Security is important, but given that an element of risk will always be present when operating online, resilience must also be championed,” he warns. “Without a concerted effort to reduce cyber crime and improve resilience, small businesses could be at real risk.”
Case study: seller used stolen ID
An FSB member recently purchased a large piece of garden furniture for a significant sum. He was cautious enough to make several checks on the identity of the proposed seller, and the answers appeared satisfactory.
He then, as requested by the purchaser, arranged for his bank to transmit the money to the account specified by the seller.
It transpired that, while the details furnished belonged to a real person, the seller was a fraudster who had stolen that person’s identity. The money disappeared. Because it was a voluntary transaction where the bank had not played any part in the verification process, compensation was not an option. The police have been slow to try to trace the criminal via their ISP address, so the FSB member has been left seriously out of pocket.
Richard Parlour, Chairman of FSB’s Home Affairs Committee, says it’s always wise to do due diligence when it comes to suppliers or customers. “Ultimately, more successful tracing and prosecutions of the fraudsters will be the best deterrent, but international efforts will be required to tackle those who scam from safe overseas locations,” he says.
Taking precautions: FSB’s 10 top tips on staying safe online
1. Implement a combination of security protection solutions, including anti-virus and anti-spam software and firewalls
2. Carry out regular security updates on all software and devices
3. Implement a resilient-password policy – minimum eight characters; change regularly
4. Secure your wireless network
5. Implement clear and concise procedures for email, internet and mobile devices
6. Train staff in good security practices and consider employee background checks
7. Implement and test back-up plans and information-disposal and disaster-recovery procedures
8. Carry out regular security-risk assessments to identify important information and systems
9. Carry out regular security testing on the business website
10. Check provider credentials and contracts when you are using cloud services