The consequences of cybercrime attacks on SMEs are wide reaching, from obvious financial repercussions to severe damage to reputation: so how you protect yourself without breaking the bank?
The PWC "Global State of Information Security Survey 2015" indicates that the number of reported cyber-related security incidents has grown from 3.4 million events a year to 42.8 million over the last five years.
The most recent annual Poneman Institute report indicates that this costs UK business £4.12m a year, representing a 14% increase in mean value. However, the report also identifies that small organisations bare a significantly higher per capita cost than large companies (£1,014 compared to £232).
This disproportionate cost is a reflection of the relative resources, capabilities and priorities of smaller organisations, though smaller businesses are less likely to be resilient to the consequences of an attack.
The nature of cybercrime is the same for all businesses regardless of size, though the risks are particularly important for those that hold large amounts of confidential information, including personal data, valuable intellectual property or sensitive commercial material. Security breaches can result in a range of legal consequences, including:
- Unauthorised access or loss of personal data, resulting in breaches of data protection obligations; unauthorised access or loss of confidential information, which may amount to a breach of contract or regulatory obligations, or the loss of commercial advantage;
- Disruptive service attacks (eg denial of service or ransom attacks) that cause excessive service downtime and breach of contract claims;
- Attacks on operational control systems leading to physical damage to plant and machinery, with consequential claims for loss; and reputational damage caused by any of these.
However, preventing or at least mitigating cyber-crime need not be costly. The Australian Signals Directorate identified in 2010 (revised in 2014) that 85% of intrusions involve unsophisticated techniques that could have been avoided by implementing the top four of its 35 mitigation strategies.
They are application white listing; general application patching - particularly systems at "extreme risk"; patching operating system vulnerabilities; and restricting administrative privileges to operating systems.
People are the weakest link
This is achievable because the weakest link in the security chain is the human element - technological measures are an important part of the overall solution but they are not, and cannot be, the complete solution.
For example, a commonly used technique to defeat technological solutions are social engineering attacks, where malicious "spear phishing" emails are tailored to entice the recipient to follow embedded links or to open attachments that contain malicious software.
Sophisticated versions of these are made to look like they come from a personal connection or the recipient's bank or utility companies, making the attack difficult to spot.
Sophisticated attacks seek to combine such approaches with more traditional forms of fraud, such as telephone confidence tricks or 'man-in-the-middle' accounting frauds. These approaches rely on the ability of the fraudster to convince the victim to transfer money or information willingly to the fraudster.
Frequently, therefore, employees in lower paid, administrative roles are targeted. Banks will provide compensation where it can be demonstrated that a technical aspect of account security has failed, but not if the transfer was made voluntarily - such frauds are treated as 'user error' or as a criminal matter for the police, who generally lack resources with the appropriate training and knowledge to investigate all of the reported crimes.
Consequently, there is a need to develop greater awareness of the issues and to change our cultural approach to privacy and confidentiality. Changing a culture is a slow process that requires a combination of awareness and training together with constant reminders. However, it is a low cost solution that can be implemented quickly and easily.
The UK government has made attempts to change cultural awareness, such as the poster campaign that was published on London transport, websites like cyberstreetwise and by implementing the Cyber Essentials scheme.
Practical and low cost steps that businesses can take start by conducting a risk analysis to understand the legal and regulatory environment that it operates within. This can be combined with a review of the availability and suitability of general and specific insurances, noting that some cyber-insurances may not be appropriate to the particular business.
Businesses should also look at their policies, including policies for the use of personal devices, email and internet use at work - it is legally difficult to dismiss an employee for security breaches if these policies are not aligned.
Larger businesses are increasingly looking at the risk generated by smaller businesses in their supply chains, which may mean a revision of commercial terms. Ideally, businesses should consider business continuity planning for a range of situations - these should now include planning to deal with cyber-related incidents.
All businesses face the same legal and practical issues from cyber-crime but the consequences are disproportionately greater for smaller companies. However, mitigating or avoiding the risks need not be expensive or time-consuming when a few practical steps can make the difference between failure or survival.