It’s no longer a matter of if but when SMEs will be targeted by cybercriminals, so forming a robust response plan is essential.
Companies are sharing more information digitally along their supply chains. This connectedness means the majority – no matter their size – are likely to become a target for cybercriminals.
We’ve seen corporates investing in the detection of online criminal activities – by creating dashboards which identify where there is suspicious systems activity in another time zone, for instance – but, as yet, there’s no scalable equivalent product for SMEs.
Simple solution to online security
A cyberattack can cost an SME between £20,000 and £60,000 per incident – which brings major implications for a business that may only turn over £1m a year.
I still find some business owners either don’t believe it can happen to them because they are not an ‘online’ business or, when it does, are shocked by how many of their systems it shuts down. Doing nothing is simply not an option. But, at the same time, you don’t need to spend millions to protect your business.
This is because many attacks still rely on involvement from a member of staff, who may be tricked into clicking on an attachment or responding to a fake email from someone impersonating the business owner.
This is more common than people think as it’s easy to copy a corporate email layout. Attackers may also use a similar domain name to that of the company’s, simply replacing the letter ‘w’ with ‘vv’, for instance, in what is known as ‘spoofing’. This type of incident can result in unsuspecting employees transferring funds at the request of someone impersonating the business owner. So, building awareness is important – and free.
This kind of security breach can incur the cost of bringing in a consultant to get systems back online, but also has legal and reputational damage implications. An incident like this means everyone is distracted and there’s unlikely to be any business conducted for a period of time, which could potentially damage your relationship with a key customer.
And, unfortunately, once an organisation falls into such a trap, they often find that they end up being targeted by fraudsters multiple times.
3 simple steps to robust cyber-security:
- Train your people: they are both your greatest strength and your biggest weakness. They need to be aware of risks, question any suspicious communications and be reassured that they should act on their suspicions.
- Practise good IT: make sure your antivirus software is up to date, allow your operating system to automatically accept patches, keep an eye on network speeds and make sure your data and systems are properly backed up.
- Plan for the worst: it’s worth asking yourself some important questions now – such as, in the event of an incident, how quickly could your IT provider send over replacement equipment? What calm and reassuring message will you send to customers and suppliers? What alternative systems and processes could you put in place?
A cyber-case study
One client fell victim to a type of cyberattack called ‘spearfishing’. In this case, the criminal made contact with the MD pretending to be a long-lost school friend. Use of Social Media and an exchange of emails, enabled the fraudster to collect essential details, such as the businesses email signature, appreciations of the MD’s communication style and courtesy of Social Media the details of a planned oversea trip.
The criminals were then able to time their attack to coincide with the MD’s trip. They sent an email impersonating the MD saying, in just the right syntax, that a payment must be made that day to secure advanced new technology. With a little background research, they were able to persuade employees to transfer over £180,000. Fortunately, someone became suspicious before any further payments were made.
There were a number of reasons that this attack was possible; the company didn’t have suitable checks and processes in place – no one contacted the MD to confirm the request, for instance; they and their IT providers were not actively monitoring the IT networks for suspicious activity (activity from unusual IP’s and at unusual times); failed to implement simple technical ‘spoofing’ measures such as flagging externally generated emails.
In this example, the criminals’ objective was theft but weak cyber security processes could equally result in an organisation suffering a data breach or becoming victim to ransom ware.
Prove your cyber-awareness
Those companies, particularly SME’s that actively embrace cyber awareness will have an opportunity to stand out from the crowd.
Many organisations, from government to large manufacturers, now insist that companies along their whole supply chain have robust cybersecurity processes.
Any business which can demonstrate that it has robust procedures for preventing, detecting and resolving such incidents will find it is a selling point.
And, with the General Data Protection Regulation (GDPR) coming into force later this year, organisations, large and small will have to ensure that the systems and processes they rely on to protect their data are fit for purpose, or risk a hefty fine.