Last reviewed 25 August 2017
Nigel Baker, Lexicon Employment Law Training
A succession of recent reports have highlighted the growing threat to businesses of cyber attack and hacking. These reports underline the uncomfortable facts that not only are such attacks on the increase but that they affect SMEs as well as larger companies. Research by Beaming found that cyber security breaches cost British businesses as a whole £29.1 billion in 2016, with an estimated 2.9 million firms falling victim. The Government estimate that the average cost of a major security breach is between £65,000 and £115,000 and can lead to the affected business being out of action for up to 10 days.
According to a survey for Zurich conducted by YouGov, 875,000 SMEs across the UK were affected by a cyber attack over the last 12 months, at a total cost of £1.87 billion. Of SMEs hit, 20% said it had cost them more than £10,000 and 10% said it had cost them more than £50,000. Although the risk of cyber security breaches increases with business size, a cyber extortion demand or a week of business closure is more likely to threaten the survival of an SME than a large firm. Twenty–seven per cent of SMEs believe that they are secure because they are too small to be of interest to a cyber attacker yet 59% have been the subject of an attack according to research by Juniper.
A survey by Symantec in 2016 found that in cyber attacks on small firms of less than 250 staff, some 53% were targeted by a spear phishing attack in which an email appears to be from a known recipient but in fact isn’t.
An IBM report based on data collected from 8000 client devices over 100 countries found that the profile of cyber attackers consisted of 40% outsiders, 44.5% malicious insiders and 15.5% inadvertent actors. Notwithstanding the alarming implications of many reports, Zurich’s survey of 1000 SMEs in the UK found that 49% of them plan to spend less than £1000 on their cyber defences over the next 12 months and 22% didn’t know how much was to be spent.
Twenty–five per cent of medium sized businesses acknowledged that they had been asked by current or prospective clients and customers what cyber security measures they had in place. Many large organisations realise that they can be vulnerable through business connections with smaller contractors with weak or non-existent cyber defences. This has tendering implications for SMEs.
To keep your own house secure, it is common sense to lock doors and windows, leave some lights on, maybe install an alarm and let your neighbours know when you’re going to be away. Despite this, one in five burglaries in the UK happen because victims have left their doors or windows unlocked or open. This has led the assistant chief constable of Leicestershire Police to suggest that forces should not help victims who had failed to secure their property correctly.
When it comes to attacks on your property — or your business — your mindset should be the same. You need to put yourself in the place of the potential attacker and think: “How would I get into this house, or this computer system?” It might be easier than you thought.
An SME targeted by a cyber criminal might not make the headlines but the impact can be just as devastating. SMEs have the additional problem that they rarely have a dedicated IT Manager. Responsibility for systems will often fall to the already stressed and busy business owner who, understandably, gives it a low priority. This is reflected in research by Experian which found that more than half of UK SMEs do not see cyber security as a priority, despite 38% having experienced an attack in the past year.
Banks are increasingly taking the “Leicestershire Police” attitude when it comes to reimbursing the victims of cyber crime. In some instances, criminals have contacted a firm’s debtors and asked them to make payments to a different account, which is then rapidly cleaned out. In these cases, banks have refused to make refunds on the grounds that the victims authorised the payments themselves.
Yet despite the lack of resources, there is a lot that SMEs can do to thwart cyber attacks:
Implement security protocols: employees should have individual passwords that are strong and known only to them and the business manager. The use of passwords that are easily guessed, such as P4ssw0rd, must be discouraged.
Educate: staff should be briefed on the importance on online security and the need to be vigilant and sceptical when opening emails and especially email attachments. Ransomware is dependent on end-user activation so staff are a key line of defence against attack.
Have a recovery plan: think through what would happen in the event of an attack. Ensure that important data is backed up regularly and consistently. The “offsite” backup should either be in the Cloud or removed to entirely different premises, not left on top of the server.
Have a staff policy: make it clear to employees what they can and can’t do with office computers. Browsing dubious websites during the lunch hour is a good way to open up your system to criminals. Employees who bring their own devices to work can also pose a threat because hackers can infiltrate the whole network through these unprotected devices, so an internal staff policy on this is required.
Have effective anti-virus software: many cyber attacks are initially targeted at the US or Asia which means that anti-virus software is often updated before the problem travels around the world. That only benefits you if you have it set to automatically and continually update.
Tell the neighbours: inform all your customers that if there is ever a need to change payment or bank account details, they will be informed personally, for instance, by you, their account manager or your finance director. They should never respond to unexpected telephone calls or emails. It’s in their interests, as well as yours, that they follow this advice.
Consider insurance cover: more than a million British businesses took out cyber insurance policies for the first time last year and 19% of UK companies are covered for losses associated with cyber security breaches and data theft.