UK SMEs and cybercrime: Paying the price

As IT professionals, the idea of a client’s or our own business being hacked and subsequently exploited is nothing short of a catastrophic failure. A severe enough incident of cybercrime can cost a company hundreds of millions of pounds and leave a business in a state of inaction.

Indeed, according to a recent report by The Centre for Economics and Business Research, it is estimated that cybercrime costs British businesses alone a staggering £34 billion per year.

While it is true that the past few years have been marked by a number of substantial instances of cybercrime, with an increasing severity of attacks, it is also clear that cybercrime as a practice is changing. It is now recognised as a serious, organised criminal act and with it comes severe consequences.

The cost of cybercrime

The fact is, cybercriminals (rather than hackers) are becoming increasingly resourceful and creative; and that means the assumption always has to be that they can and will be able to circumvent security measures put in place by finding a weakness and exploiting it.

This evolution in malicious cyber behaviour has placed cybercrime firmly on the agenda for the C-suite. In turn, this puts an increasing amount of pressure on those responsible for enterprise IT infrastructures to ward off attacks and keep the company’s reputation in sterling condition.

Securing against cyberattacks doesn’t have to cost millions – but it can cost millions if you don’t. Take Sony’s 2014 data breach – an oversight that cost the company in excess of $100 million when hackers erased data and also stole and published private and sensitive information.

Companies in all industries have some difficult and costly decisions ahead to help protect themselves against cyberattacks.

Becoming cyber-savvy

Startlingly, a recent UK 2015 Cyber Risk Survey Report found that only 18 per cent of large and medium-sized corporations from across the UK consider themselves to have “complete understanding” of cyber-related threats.

Indeed, according to the report a huge 61 per cent made no attempts to estimate financial loss in the event of a breach, making it impossible to assess the damage and the cost required to safeguard infrastructure against future attacks.

If these larger organisations, with their chief security officers and chief information officers, are struggling to fully understand the cybercrime landscape it suggests the small-to medium-sized enterprise (SME) has much to do to protect itself.

The fact is, however, that any organisation, including an SME, can protect itself when armed with the right level of understanding as to what the threats are and how to combat them.

One approach, for example, is to use a device that filters Internet traffic before it reaches the internal network. These could be called firewalls, proxys, web filters, IDS or UTMs and can be more intelligent than they sound. The key is making sure they are updated daily, if not hourly, in order to be able to detect and block malicious scripts effectively.

Also, it is often the same attack vectors that are reused by cybercriminals to profit from companies that don’t guard against common and easy to exploit vulnerabilities, such as SQL Injection within websites, so it pays for enterprises to be thorough and to scan for vulnerabilities on a regular basis.

Ransomware and protecting the SME

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay a ransom through certain online payment methods in order to grant access to their systems, or to get their data back.

An increasing number of SMEs are falling victim to this type of attack because they often have less sophisticated computer defences. Some 80 per cent of SMEs don’t use data protection and less than half use email security, according to Intel Security.

Today’s businesses have to react swiftly to the ever-changing business playing field, with new systems that allow them to communicate with ease, speed and flexibility. But in facilitating these systems, SMEs often look for simple solutions that offer a fast track to keep up with the changes. They generally don’t involve the IT department and instead approach an outside agency, opt for a “cloud” solution or do it themselves using free software.

The problem in not engaging the IT department is that these systems do not get updated. If we look at a company’s marketing function as an example, much of their activity will be campaign-based, so once it is finished it’s off their radar and any associated websites or infrastructure are often left to fester.

As part of the Governments Aware campaign they have produced a guide on cyber security for businesses. This guide highlights ten areas in which companies should be taking action to protect themselves.

Businesses need to assume they will be hacked by default. The threat landscape is ever evolving and people have to be able to trust companies with their information and data. Enterprises that assume they will be compromised one day and proactively invest in the right security measures will minimise their risk and ensure that everything of value can be restored.

Steve Nice, Chief Technologist, Node4

Image Credit: Sergey Nivens / Shutterstock