lolloj - Fotolia

SMEs move into cyber criminals’ crosshairs

The consequences of data breaches for small businesses are greater than ever, with data protection law becoming tougher just as SMEs are turning into a top target for cyber attackers

The contribution made to the economy by small and medium-sized enterprises (SMEs) is impossible to ignore. In the UK, SMEs represent 99.3% of all private sector businesses, contributing £1.6tn to the nation’s economy each year, according to the Department of Business Innovation and Skills. In the light of these numbers, it should not be surprising that SMEs are now the top target for cyber criminals.

Many SMEs, however, are still blissfully unaware of this fact – 82% of companies still believe they are too small to be targeted by cyber criminals. Yet the reality is that 92% of hacking incidents in 2014 were carried out against SMEs.

According to the Federation of Small Businesses (FSB), smaller firms in the UK are targeted seven million times a year, costing the national economy £5.26bn. The amount of damage done by these breaches is rising, with the worst breaches costing up to £310,800 each in 2015, up from £115,000 in 2014, according to a recent survey published by digital economy minister Ed Vaizey.

While about 23% of SMEs have caught on to the potential risk posed by cybercrime, too many still rely on outdated technology that provides only perimeter security and completely ignore file-based threats.

As these sorts of attacks make conventional security methods utterly useless, an increasing number of hackers are seeing them as their most valuable tool. According to a survey by the Institute of Directors, nine out of 10 business leaders believe that cyber security is important yet only half had a formal strategy in place to actually protect themselves from threats.

File-based threats

File-based attacks involve the use of malicious code, hidden within common file types and launched via email messages. The potential of a file-based threat is constrained only by the ingenuity of the hacker. History has shown, time and again, the catastrophic effect that these corrupted files can have when they gain access to an enterprise’s systems.

The few SMEs that have woken up to the threat of cybercrime still stand little chance against such attacks. Many companies rely on costly perimeter security solutions, such as firewalls and email scanning, which are only effective against widely known threats. Furthermore, their defences rely on incremental updates to remain effective, though they are often one step behind the hackers.

File-based attacks are responsible for 94% of breaches across all businesses, and the figure continues to grow each year. As a result, many businesses are losing faith in their current security solutions, as well as in supposed “new solutions” such as sandboxing, and moving towards more innovative approaches.

Social engineering

The most well-trodden route into a company’s systems is through its own employees. By using well-practised social engineering tricks, hackers can turn an organisation’s own staff into unwitting accomplices. Alarmingly, some 88% of breaches include the use of social engineering techniques.

Ammunition for these types of operation is shockingly easy to acquire. Cyber criminals typically find employee information from a number of sources, such as files from the company’s official website that have not been cleaned, or files that have been intercepted during exchange. This information can be used to identify user IDs, server paths, software versions and even employee reference data.

With this information on hand, it’s relatively simple for a hacker to forge a convincing email to an employee, posing as a trusted contact and duping the employee into opening a link designed to send a zero-day exploit, to be activated at a later date, straight into the company’s system. With this in mind, it is vital that companies keep this information out of the wrong hands.

The urgency of cybersecurity

With the European general data protection regulation (GDPR) set to come into effect on 25 May 2018, preventing file-based attacks is more urgent than ever for businesses with operations in the EU. The new law will impose heavier penalties and fines on businesses that fail to protect data adequately, or are subject to a breach.

Minimum fines will be set at 2% of global turnover, with maximum fines double that. In addition to stiffer fines, the new regulation will include a provision for disclosure, in the name of the public interest, which will probably lead to many cybercrime victims losing additional revenue as their customers lose faith in their ability to protect their personal information.

Although the GDPR gives some leeway to SMEs deemed to pose a smaller risk to the privacy of citizens, even sole traders will be expected to be fully compliant with the regulations. They must manage their data just as closely as their larger counterparts, avoid introducing unnecessary privacy risks, and consider the risks their business practices pose to the privacy of their customers.

File regeneration

To ensure they can live up to the upcoming regulations, SMEs must turn towards a solution based on file regeneration. It guarantees total security and full protection against the most common form of cyber threat and can do so without compromising the speed and efficiency that businesses require to deliver a competitive service to their clients and customers.

SMEs would be wise to use a managed security service provider (MSSP) that is designed specifically for smaller businesses and takes into account the growing threat posed by file-based attacks. These solutions allow SMEs to achieve full protection from threats in a cost-effective manner, and place the burden of risk on the shoulders of a third party.

With both the GDPR and cybercriminals casting their eyes on SMEs, it is more urgent than ever for these enterprises to look beyond conventional perimeter security measures and adopt a security system that can protect them from the most common and volatile attacks.

Chris Dye is vice president, alliances, at Glasswall Solutions.

Read more on Hackers and cybercrime prevention