In 2016, SMEs in the UK were targeted online 230,000 times. Large businesses are still the favourite targets of online criminals, but the rate at which smaller businesses are targeted has grown dramatically. Symantec reports
that the percentage of attacks directed at businesses with fewer than 250 employees increased from 18% in 2011 to 43% in 2015, while the percentage directed at ones with 2,500 employees or more decreased from 50% to 35%.
Symantec says the attacks are indiscriminate, “like thrown paint on a blank canvas.” Any organisation can be a target. The criminals are after money, and most often they go after financial officers. Attackers expect that small businesses won't have security as good as the large ones.
Phishing and spearphishing
Attempts to trick people with email messages, otherwise known as phishing, are a popular technique. The goal may be to get them to give up passwords or other confidential data or to open attachments that will install malware on the computer.
To an increasing extent, the criminals use a more sophisticated variant, which tailors the message to the recipient. This version is called spearphishing. It may impersonate a superior in the organisation or a customer. The number of spearphishing campaigns against employees increased by 55% in 2015, according to Symantec. These attacks usually go after large businesses, but any business is vulnerable.
Ransomware accounts for a growing proportion of attacks. Victims can lose files unless they agree to pay for their recovery. These attacks go after individuals and businesses of all sizes.
Attacks on devices
Modern business networks present a larger attack surface than those of a few years ago. Not long ago, a typical small business network consisted of some desktop computers and one or a few servers. Today it can include print servers, wireless access points, VoIP telephones, users' mobile devices, and cloud connections. All of these are potential targets. Smaller businesses don't always have the IT expertise to protect them fully. There was a 310% increase in attacks on “Internet of Things”
devices just between the first and last quarters of 2016. Many of these devices have poor security design.
Unprotected devices can be infected with malware that makes them part of a “botnet” which may send out spam, join in denial-of-service attacks, and attempt to spread malware to other devices. There is also a type of malware, perhaps intended as vigilante action, which shuts down insecure devices
that it finds.
What actions are businesses taking?
In spite of the increasing dangers, most SMEs haven't made increased security a priority. A survey of UK business owners and managers found that only 37% said they were planning to invest in better online security. Only 41% of businesses consider their data “adequately protected.” Barely more than half said they had security policies in place.
Perhaps these businesses think they don't have enough of an IT operation to worry about. However, it's rare for a business with more than a handful of employees not to have important data on computers. Disruption of their operations or a breach of confidential information has the potential for serious harm.
Perhaps they just don't think there's any useful action they can take, so they shrug the problem off and hope insurance will cover any losses. Some people believe that whether they're hacked or not is purely a matter of luck.
The truth is that it's both possible and necessary to take effective security measures. An online attack is actually more dangerous to a small business than a large one, since the costs of mitigation and recovery can overwhelm its entire revenue stream. The greatest damage can come from loss of reputation. Small businesses may need expert assistance to know where to start improving security, but a reasonable effort can provide a significant return.
What do SMEs need to do?
A small business may not be able to do everything that would improve its security, but the more it does, the safer it is. Failure to do anything can lead to catastrophic financial losses from a breach, perhaps even the business’s failure. The steps an organisation can take include:
- Keeping software up to date. Old system software often has known defects, which online attackers can exploit. New releases fix the problems. Installing updates regularly — if possible, automatically — means fewer vulnerabilities.
- Limiting network access. A properly configured firewall allows access only to necessary network services and closes off services which IT management may not even know exist. With fewer points exposed to attack, the network has better odds of safety.
- Filtering email. Spam isn't just a nuisance but a threat. Even careful people will make an occasional mistake and open a malicious attachment. Filtering software won’t stop all spam, but it can block the most obvious offenders. If employees never see a phishing message, they can't open it.
- Backing up. Frequent backups help in recovering from malware and can be a life saver when attacked by ransomware. It also protects against hardware failure.
- Logging and monitoring. Malware sometimes goes undetected for months. Ongoing monitoring of system behaviour lets a business catch and mitigate breaches quickly.
- Educating employees. They need to learn to recognise dubious e-mail, treat it with care, and avoid questionable websites. They should know how to choose a strong password and keep them secure.
Looking for more information?
Trying to do all these things may seem overwhelming, but improving security a step at a time will reduce a business's vulnerability and improve the safety of its data. Contact us
for expert consulting and assistance in improving your business's data security.