The extent to which criminals are exploiting digital technology to commit offences continues to grow, as they disrupt businesses, steal money, goods, information and sensitive data.
For the cyber criminal it is a low-risk crime that can deliver huge payoffs, relentless in their efforts to exploit system and human vulnerabilities. And as people and things get more connected the variety and volume of cyber-attacks continue to rise, malware and unauthorised access to data remain major business concerns.
Cyber-attackers know from experience that smaller organisations tend to have less money and fewer resources to spend on their cybersecurity. The majority of cyber-attacks are automated and indiscriminate, exploiting known vulnerabilities with IT systems rather than targeting specific businesses.
The SMB threat landscape
Yet there is a gap that exists between the accelerating threat landscape and the limited resources organisations are allocating to defend against cyber-attacks.
Small businesses (SMBs) in the UK are the target of an estimated 65,000 attempted cyber-attacks every day, according to figures from a study from Hiscox, a specialist insurer.
According to Hiscox, almost one in three (30%) UK small businesses suffered a cyber breach last year – equivalent to over 4,500 successful attacks per day or one every 19 seconds.
The majority (66%) of those SMB’s that suffered an attack, admit to making no changes to their policies or systems to help prevent further breaches. This is perhaps one of the key reasons why over half (56%) of those who’ve suffered a breach, are the victim of multiple attacks.
When it comes to cybersecurity, you’re only as strong as your weakest link - which means businesses continue to be at risk from cyber-attacks targeting system vulnerabilities or their lack of response to known weaknesses.
Most SMBs are at risk of being breached either through a lack of awareness of what the cyber-attack threats are or from taking no actions to address the lack of any cybersecurity defences.
According to Accenture’s 2019 Cost of Cybercrime Study, "Humans are still the weakest link”, as human error is often at fault for exposing sensitive information or undermining internal security practices.
In an ever-changing digital landscape, Accenture underline how important it is to keep pace with how cyberattacks on businesses are evolving:
- Information theft is the fastest rising consequence of cybercrime. But data is not the only target as core systems, such as industrial controls, are being hacked in a dangerous trend to disrupt businesses
- A new wave of cyberattacks sees data no longer just being copied and stolen but being destroyed, attacking data integrity
- Cyber criminals are adapting their attack methods to focus on humans, the weakest link in cyber defense, deploying tactics such as ransomware, phishing and social engineering as a path to entry
As an SMB, the UK Government is helping businesses to prepare by providing a range of standards and guidelines, the most useful of which for SMBs is Cyber Essentials.
Cyber Essentials is the UK Government backed scheme administered through the National Cyber Security Center (NCSC) that aims to show organisations how to prevent the most common cyber attacks and to encourage organisations to adopt best practices in their information security strategy, in turn making the UK a safer place to do business.
The NCSC claims Cyber Essentials can help eliminate the risk of 80% of cyber-attacks, a scheme designed to fit with whatever level of commitment an organisation is able to sustain.
The Cyber Essentials scheme addresses the most common Internet-based threats to cybersecurity and considers these threats to be:
- Hacking — exploiting known vulnerabilities
- Phishing — and other ways of tricking users into installing or executing a malicious application
- Password guessing — manual or automated attempts to log on from the Internet, by guessing passwords
Cyber Essentials certification offers peace of mind that an organisation’s defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the appropriate technical controls in place.
The Cyber Essentials scheme is not covered by binding regulation, instead, it offers organisations and businesses a means to demonstrate their commitment towards addressing cybersecurity by achieving an accredited and registered certification standard.
If as an organisation you need more certainty on how you apply cybersecurity, you can obtain basic or entry level Cyber Essentials.
For those organisations who need to take their cybersecurity to a higher level, you can go for Cyber Essentials Plus certification.
Massive cybersecurity breaches have become almost commonplace from Facebook to British Airways to Dixons Carphone, all regularly grabbing national headlines.
But, for all of the attention generated by these incidents, many organisations still struggle to comprehend the risks of a cyber-attack and fail to prepare adequately.
Most SMBs recognise the threat that cyber criminals pose on a global scale but are less convinced of the risks facing their own operations, considering themselves ‘too small’ to be worthy targets, but this isn’t the case.
Reasons to get your Cyber Essentials certification
There are a number of reasons why SMBs need to address their lack of cybersecurity focus:
1. The consequences of a breach
The direct costs of a cyber-attack can be extremely expensive, but actually underestimates the real expense of an attack.
It is not just the direct financial burden or the cost of repairing the damage to systems etc. A data breach can undermine customer trust and inflict reputational damage that businesses will find difficult to recover from. Plus with the introduction in May 2018 of the GDPR there are potentially regulatory fines that businesses will face because of the consequences of a cyber-attack.
2. Sophisticated hackers
The internet opens the door to huge opportunities and rewards, but also brings with it risks to doing business online. An attack on your business can also take place remotely, on third party systems that hold your data, on hardware stolen from your premises or by your staff sharing confidential information by mistake or for financial gains.
Every day there are cyber-attacks in some form or other against UK companies, attempting to steal information, access applications and disrupt business as hackers have a lot to gain from a successful breach.
3. Widely available hacking tools and knowledge
The commercialisation of cybercrime has made it easy for anyone to obtain the resources they need to launch a cyber-attack. More often than not, the hackers like any criminal are playing a "numbers games", they are opportunists and know that if they keep on trying eventually they will gain entry.
The head of Europol says that the growth of cyber-crime is “relentless”. The agency has identified a range of increasingly common methods – and these are not sophisticated. According to a report from the UK’s National Crime Agency (NCA). The average age of those arrested for malicious hacking activities was just 17 years old.
The introduction of GDPR in May 2018, now means that organisations need to take cybersecurity more seriously than ever, or face heavy fines.
The GDPR or General Data Protection Regulation is designed to unify data privacy laws across the EU, giving EU citizens more control over their personal data and prescribing how organisations may use and must protect their subjects data.
Under the EU’s new rules, all European citizens have the right to know how their personal data is being used, why it’s being processed, have the right to access and correct it, restrict further processing of it and ask that all their data be erased or passed onto another party.
As a business you must know where and what data you have stored, it’s source and that you are lawfully complying with the regulations on how to keep and process it and implement appropriate technical and organisational measures to protect personal data, regularly review controls, plus detect, investigate and report any data breaches.
5. It shows that you take cybersecurity seriously
Becoming Cyber Essentials certified can help you establish the trust of clients and partners. It shows that you have made a promise to take your cybersecurity responsibilities seriously.
The rise in awareness of the consequences of a cyber-attack have seen an increased demand for evidence that your business takes its responsibilities seriously and invests in protecting data and information.
Once you are certified, you will be able to display a Cyber Essentials certification and be listed on the Directory of organisations awarded Cyber Essentials.
Cyber Essentials is just one step of the journey towards securing your organisation against cyber attacks. As an outside provider Worktools can do initial security assessments and ensure that everything is secure, both locally and through remote access.
We can also help create your cybersecurity plan so you know how to prepare and if necessary respond to an incident.
Image source: www.freepik.com