By David Navin, Head of Corporate, Smoothwall
Cyber-attacks are nothing new, with a new threat, attack or breach making a regular occurrence on the news agenda. With a number of high profile attacks on large corporations such as Yahoo, Sony, TalkTalk and Camelot, it is easy to think that cyber criminals only go after the big fish.
In fact, security expert Dr. Emma Philpott recently stated: “There’s a lot of great talk, but most SMEs do nothing about cyber-security. It’s shocking.”
Although it may sound harsh, Philpott was actually simply confirming what the majority of the security industry will tell you; that SMEs rarely have clear, actionable measures in place which present a rather inviting opportunity to hackers and threat actors.
Research last year found that 48 per cent of SMEs fell victim to at least one cyber-attack in the past year, with 10 per cent targeted multiple times. It begs the question, therefore: why do SMEs not consider their cyber security as important an issue as large enterprises?
Last year in the UK there were 5.4 million SMEs, making up over 99 per cent of all UK businesses, making them absolutely crucial for the UK economy. With such importance placed on UK SMEs, it highlights the sheer importance as to why the security problem is so serious and needs to be addressed.
It isn’t that SMEs are over-confident or ignorant to the threat of cybercrime. The majority of SMEs suffer from an inferiority complex and believe they are not at risk because they are not big or important enough to be a target for hackers.
They could not be more wrong.
Consumers share their data with SMEs on a daily basis, with many large companies working with SMEs as part of their supply chain. This makes SMEs a very attractive proposition for criminals looking to get hold of valuable data – be it corporate or personal. By playing a part in the supply chains of larger companies, they can be exploited as back doors into their larger partners, providing cyber criminals with a passage to attack the ‘bigger fish’. Security is another issue as well. Aside from the value of the data they hold, SMEs provide a bullseye for threat actors as they tend not to have the same level of security in place as their larger counterparts. This means they are not only an appealing option to hackers, they are often an easy one.
With the increasingly common Advanced Persistent Threat (APT), there is more chance that a cyber-attack has been set out to steal data rather than to cause damage to the network or organisation.
Mitigating against such attacks is very challenging and larger businesses invest in highly complex security systems to protect themselves. It is often the case that SMEs don’t feel they can afford such investment, but the truth is that there are some security measures that can be taken without huge cost.
There are five fundamental security measures every business should have in place: web security with perimeter firewall, application control, network segmentation, IPS (Intrusion Prevention Systems) and email security. By implementing these, SMEs can begin to build a defence with these security pillars as their foundation. As the business grows, further investment can be then made and built on top of this.
Go small to win big
SMEs can take no chances. If found to be the weak link in a large organisation’s security defence, it is likely that they will lose that partner and the hundreds of customers that come with them, and the reputational and financial damage that will result could be catastrophic to a small business. We have already seen how a cyber-attack can affect a company’s prospects, with Yahoo’s acquisition by Verizon cut significantly as a result of its 2014 hack, and SMEs can be subject to the same consequences as well.
This is why, alongside having the core five defences in place, SMEs must adhere fully to security regulation. We know compliance is a painful process for SMEs – it can be time-consuming and therefore costly. There is no avoiding compliance, even if it does not necessarily lead to better security, but what it will always do is protect relationships with larger partners. Coupled with at least a basic level of security, the SME becomes far less appealing to a hacker.
Companies, no matter their size, need to have all the measures in place so as to keep their data watertight and relationships safe. Reputation for any company is built from the bottom up: prevention before cure, or face the ignominy of a potential debacle, TalkTalk-style.