Published: March 22, 2022
Commentary from Martin Coward, Chief Risk Officer at Unity Trust Bank.
According to the Cyber Security Breaches Survey, conducted by the Department for Digital, Culture, Media and Sport last year, the average annual cost for businesses that lost data or assets after breaches was £8,460.
The survey also found that the number of businesses who identified cyber security breaches or attacks in 2021 was 39%. This was down from 46% the previous year. But, only 35% had security monitoring tools, while just over one third do any kind of cyber risk assessments.
As fraudsters become more sophisticated in their methods, it has never been more important for businesses to understand the potential impact a breach or an attack can have on their systems. As a society, our reliance on technology and online software continues to grow, but there are vulnerabilities in businesses of every size.
For SMEs that are busy focusing on growth, having an in-depth awareness and being alert to online risks can become less of a priority. However, this can make them the easiest targets, and create the perfect scenario for an attack.
Cyber protection should be part of every business plan. That means having someone on hand who understands how to ensure every company computer has the latest patches installed. Each should also have the most up to date software versions. This quick check should be part of regular housekeeping, and can save you significant resource in the long term.
There are three clear types of attack that SMEs must be mindful of. Firstly, phishing emails, which appear to be sent internally or from a known contact, will ask you to follow a link that ends up taking you onto a site where your data could be harvested. In the worst-case scenario, a malicious software code will be embedded in the link that can infiltrate the company framework, leading to a significant knock-on effect and loss of data across the business. Read more about phishing here.
There is a growing threat and sophistication of phishing attacks from across the world. In the past couple of years, we’ve seen attempts to compromise the NHS Test and Trace service to harvest users’ data. So-called ‘drive-by URLs’ can cause computers to automatically download a virus, simply by opening a web page.
Secondly, social engineering, whilst out of a business’s control, sees users on social media providing a breadcrumb trail of information to fraudsters. Publishing personal data, such as date of birth, name of school and first pet name, can provide all the information required to answer common security questions. This can allow outsiders to log into sensitive systems.
Remote working has meant that, overnight, IT departments have gone from overseeing a single office to managing numerous private networks. Shared printers, laptops and ‘shoulder surfing’ have created an additional mobile threat. Additionally, staff using personal devices for company purposes like emails, means that sensitive data could be at risk. This demonstrates just how important it is for workforces to understand not just how to protect themselves, but also their responsibility to protect company and customer data.
Finally, for SMEs with limited resources, having appropriate defences and sophisticated security filters in place may not seem like an obvious investment. However, without them, there might be no defence against a denial-of-service (DOS) attack. The attack purposefully exhausts systems with an overload of information, and can bring operations to a halt completely.
All these vulnerabilities mean that unsecure software and systems are hugely exploitable. They can cause major challenges for businesses, particularly when their staff aren’t regularly installing updates to their devices. A perfect example of how things can go wrong was when a vulnerability was found in Log4j. This software is used by millions of devices globally. The developers quickly released a patch to fix the problem. However, if companies didn’t run the update, their systems would remain unsecure.
It often takes experience to know when an attack is taking place. One of the most obvious signs of cyber security breaches is any out-of-the-ordinary activity. For example, if your website is suddenly experiencing an exceptionally high level of traffic, or you receive an influx of emails during a typically quiet period, something may not be quite right.
When it comes to installing security software, there’s no one-size-fits-all product, and firewalls are very specific to business types. For example, an agriculturalist will require very different levels of defences, compared to a hotel that holds a large amount of customer data.
If starting from scratch, it’s best to refer to the National Cyber Security Centre. This government resource that analyses data from a range of sectors and business types. It offers easy-to-understand guidance and product recommendations.
It’s also worth checking the overall security of your business. You can rely on a service like the National Institute of Standards and Technology (NIST). This is a US government-sponsored framework that will provide a score for the level of protection you currently have.
All companies should aim to improve their score, but they need to give themselves time to do so. If you currently achieve the lowest score of ‘one’, aim for a score of ‘two’ after a year. It will also take much more resource to improve a lower score than a platform that has a high level of protection. The investment you need to make will be dictated by your own ambition. Consider the data you hold and the number of customers/suppliers/staff in your business.
Building cyber resilience isn’t a quick fix. Just remember that data is much more valuable to fraudsters than money. Cyber security breaches can be very costly to a business. So, it’s important to take time to increase your business’ online security. Enhance your team’s understanding of how to protect themselves from potential risks.
Words featured in Midlands Business Insider.