Tim Smith and Nick Gibbons, partners in the technology, media and telecommunications team at legal firm BLM LLP, take a look at the latest cyber threats to SMEs and ways to help minimise the risk.
It’s late on a Friday and a supplier calls/emails your business to tell you they’ve changed their banking details. The invoice is paid according to the new banking details. A week later, the supplier calls to say they still haven’t received their money. What’s happened? After an investigation, it turns out the first contact from the supplier was actually a scam by a phisher who appears to know a great deal about you and/or the person they are purporting to be – probably from looking at social media and the two organisations’ websites. This type of deception – sometimes known as the CEO fraud – is an increasing problem for small businesses duped into paying legitimate invoices but to the wrong people.
Whether it’s a systems hack resulting in a loss of confidential data, a website disabled, or a virus laden email attachment that once clicked renders a computer system inoperable, there is a whole list of vulnerabilities these days.
Increased reliance on IT equals increased risk
Of course, in the last few years, SMEs have also become even more reliant on their IT systems so small businesses are more vulnerable both because they have more IT kit to protect and because there are more people trying to disrupt, or cause damage to that kit maliciously. And not forgetting basic human error. An HIV clinic in London was fined last year by the Information Commissioner’s Office for sending an email newsletter and cc’ing rather than bcc’ing all the recipients (making them visible to all). And it seems that when employees leave a job in acrimonious circumstances, instead of punching the boss, they’re just as likely to download a company’s sensitive data and release it (the supermarket Morrisons being a high profile casualty of this particular vengeful attack).
Part of the problem for SMEs is they are increasingly becoming a target because bigger companies have more resources to protect themselves from cyber risk, forcing hackers to focus on their supply chain vulnerabilities. A lot of the big breaches – US retailer Target being a classic example – are where hackers have got in through a supplier’s vulnerability. Bigger companies now see their suppliers as part of their IT security perimeter and are beginning to insist on those suppliers having proper IT security in place. It could affect the competitiveness of some smaller businesses if they haven’t got the right policies and safeguards in place.
Unfortunately you can’t make yourself invincible when it comes to cyber risk but you can make your business more ‘prickly’ and a less attractive target for the bad guys. Think of the approach being very similar to having a burglar alarm on your house, a ‘beware of the dog’ sign, secure doors and windows, and CCTV – basic precautions that can make your business less vulnerable to an attack. The bad guys are generally opportunists looking for ‘open window’ targets. If you can secure those open windows and make yourself less attractive as a target, it can make the difference.
The government’s Cyber Essentials and Cyber Essentials Plus schemes have been introduced in the last few years to help organisations protect themselves against common cyber attacks and offer the opportunity to acquire a Cyber Essentials certification badge. It’s not rocket science but there is a lot of good practice here to help prevent those opportunistic attacks. Cyber Essentials’ 10 Steps to Cyber Security are:
- Information risk management regime
Assess the risks to your organisation’s information assets with the same focus as you would for other risks such as legal, regulatory, and operational threats.
- Secure configuration
Remove or disable unnecessary functionality from your IT systems, and keep them patched against known vulnerabilities.
- Network security
Monitor traffic for unusual or malicious incoming and outgoing activity that could indicate an attack (or attempted attack).
- Manage user privileges
All users of your IT systems should only be provided with the user privileges that they need to do their job.
- User education and awareness
Produce user security policies that describe acceptable and secure use of your business’s systems.
- Incident management
Establish an incident response and disaster recovery capability that addresses the full range of incidents that can occur.
- Malware prevention
Produce policies that directly address the business processes (such as email, web browsing, removable media and personally owned devices) that are vulnerable to malware.
Establish a monitoring strategy and develop supporting policies, taking into account previous security incidents and attacks, and your company’s incident management policies.
- Removable media controls
Produce policies that control the use of removable media – such as memory sticks – for the import and export of information.
- Home and mobile working
Train mobile users in the secure use of their mobile devices for locations they will be working from.
Look out for new regulation
In the next two years we will also see new regulation driven by the European Union, which will mean that the regulators’ – such as the Information Commissioner’s Office here in the UK – powers will be far more significant.
Add that to malicious attacks and human error and the days when the main threats to your business were simply flood or fire are fast receding. Your main business risk may well now be a technology risk rather than a physical one. A prickly response would be a good place to start in making sure your business effectively manages the cyber risk – proving that it’s better to be a cyber hedgehog than a cyber mouse when cyber predators are around.
Tim Smith and Nick Gibbons are partners in the technology, media and telecommunications team at BLM LLP