Cyber attacks on SMEs – the risk of attack is VERY real

SMEs are very attractive to cyber criminals: they have poorer security and limited resources, making them easier to attack than their larger counterparts, and are often part of larger supply chains, making them an easy point of access into larger corporations’ systems.

The Department for Business, Innovation & Skills/PwC’s most recent Information Security Breaches Survey found that 74% of small businesses suffered a security incident in 2015 (up from 60% in 2014).

The impact of an attack is clear

Reputational damage is a very real concern for SMEs. According to KPMG and Be Cyber Streetwise, 89% of breached SMEs said the attack affected their reputation, damaging their ability to win new business and maintain relationships with existing clientele.

What SMEs can do to protect their reputation?

SMEs should look to the government’s Cyber Essentials scheme to protect their reputation. Cyber Essentials sets out five security controls that, according to the UK Government, could prevent ‘around 80% of cyber attacks’. These controls provide a basic level of protection from the vast majority of cyber-attacks, and improve business efficiency in the process.  A double win!

Certification to the scheme demonstrates that you’ve implemented these basic cyber security controls, reassuring your customers, stakeholders and staff that you have taken the precautions necessary to reduce cyber risks, as well as putting you on route to helping you with cyber insurance if you are considering taking this out.

Cyber-Essentials-logo-HiRes

Why SMEs really should care about hacking

There may have been a mistaken belief amongst SMEs that they are NOT a principle target for cyber attack.  This has been firmly refuted by security firm Symantec following their research of the trends which evolved during 2015 and which has just been published in their latest report.

UK, US and Indian SMEs in particular are being targeted, specifically with the goal of stealing money from businesses.

Hackers are using two types of Trojans (a common cyber threat method through which the victim is conned into launching malware believing it to be harmless) and social engineering (a confidence trick – essentially to get people to perform an action or divulge confidential information).

The newer, more sophisticated threats target, “employees responsible for accounts and fund transfers”.

Scammers will send emails from stolen or compromised accounts often related to finance and lure the employee to open them.  The email contains a .zip attachment, which once clicked on, opens a Pandora’s Box for the cyber attackers to log key strokes, steal files, passwords, access the camera and microphone.  The logging of key strokes is more sinister in that it tracks the keyboard use and pathway thereby tracking different websites etc. and passwords not even held on the computer as part of the data heist.

The email subject line might have a heading  such as the following:
• Re:Invoice
• PO
• Remittance Advice
• Payment Advise
• Quotation Required
• Transfer Copy
• TT Payment
• PAYMENT REMITTANCE
• INQUIRY
• Qoutation
• QUOTATION
• Request for Quotation

Hackers use two publicly available remote access Trojans (RAT):  Backdoor.Breut and Trojan.Nancrat.  Nancrat being the one most commonly used in the UK.

And it doesn’t have to be a swift in/out attack.  Hackers, once in, are happy to mooch around the computer to find out how to steal money.  “In some cases, attackers have been known to even download manuals to figure out how to use certain financial software,” the Symantec report says.

The recommendation of course is not to open suspicious attachments and to exercise caution when using email. All too often, a too-speedy key stroke can lead to an accidental but high impact outcome for the firm.  The solution is to get educated about cyber attacks and what they look like and treat email communications with cautious respect. That way, you get smart and your company and customers stay safe.