Cyber crime costs small businesses the most

New research has found that cyber crime is disproportionately effecting small businesses the most.

New research has found that cyber crime is disproportinately effecting small businesses the most.

The Federation of Small Businesses (FSB) has found that small firms are unfairly carrying the cost of cyber crime in an increasingly vulnerable digital economy.

The report Cyber Crime: How to protect small firms in the digital economy suggests smaller firms are collectively attacked seven million times per year, costing the UK economy an estimated £5.26 billion.

Despite the vast majority of small firms (93%) taking steps to protect their business from digital threats, two thirds (66%) have been a victim of cyber crime in the last two years. Over that period, those affected have been victims on four occasions on average, costing each business almost £3000 in total.

Cyber crime costs small businesses disproportionately more than big businesses when adjusted for organisational size.

Currently the responsibility largely falls on small businesses to protect themselves. FSB is calling for more support to be given to those smaller firms least able to bear the burden of the increasing global cyber threat.

Almost all (99%) of the UK’s 5.4 million small firms rate the internet as being highly important to their business, with two in three (66%) offering, or planning to offer, goods and services online. Without intervention, the growing sophistication of cyber attacks could stifle small business growth and in the worst cases close them down.

Mike Cherry, FSB National Chairman, said: “The digital economy is vital to small businesses – presenting a huge opportunity to reach new markets and customers – but these benefits are matched by the risk of opportunities for criminals to attack businesses.

“Small firms take their cyber security responsibility very seriously but often they are the least able to bear the cost of doing so. Smaller businesses have limited resources, time and expertise to deal with ever-evolving and increasing digital attacks. We’re calling on Government, larger businesses, individuals and providers to take part in a joint effort to tackle cyber crime and improve business resilience.”

The types of cyber crime most commonly affecting small businesses are phishing emails (49%), spear phishing emails (37%), and malware attacks (29%).

Small firms are also concerned about hacking and fraud when the card is not present, with the average information breach setting them back 2.2 days.

To combat this, four in five small firms (80%) use computer securing software, and well over half (53%) perform regular updates of their IT systems.

The FSB report also found room for small firms to improve security.

Currently just a quarter of smaller businesses (24%) have a strict password policy, four per cent have a written plan of what to do if attacked online, and just two per cent have a recognised security standard such as ISO27001 or the Government’s Cyber Essentials scheme.

Mike Cherry added: “Small firms are understandably focussed on building their businesses and creating the jobs which drive economic growth. The vulnerabilities of the digital world affects everyone and the responsibility for improving resilience should not be left to the group with least resource to do something about it.

Yahoo confirms one billion users have had data hacked

Bob Lord, chief information security officer at Yahoo, admits details of the breach in a blog post.

Bob Lord, chief information security officer at Yahoo, admits details of the breach in a blog post.“We believe an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft,” he said.

Speaking to Computer Weekly, Jonathan Care, a research director at market watcher Gartner, said Yahoo’s lack of clarity on this point was troubling.

“The implication is that Yahoo has overly focused on deploying protective technologies, and has not put in place effective analytics, detection and response systems and processes,” he said.

“From what we do know, the attackers made use of cookie masquerading, pass-the-hash and a state-sponsored actor. This gives strength to the importance of a strong detection plan.”

The incident came to light after US law enforcers shared files with the company that a third-party claimed contained Yahoo user data.

“We analysed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data,” said Lord.

Yahoo admits that staff knew about the data breach two years before it was confirmed publicly, and that the incident could affect the $4.83bn sale deal with Verizon.

“For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

“We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords,” he said. “We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account.”

Which suggests that many personal questions have been hacked as well.

This latest breach comes several months after Yahoo revealed details of another historic attack on its systems, dating back to 2014, which led to the personal details of at least 500 million users becoming exposed.

At the time, the incident was reported to be the largest publicly reported breach of its kind, but the August 2013 one is understood to be considerably bigger.

After news of the 2014 hack broke, Yahoo confirmed some staff knew about it several years before details were publicly disclosed, and acknowledged that it could lead to Verizon withdrawing its $4.83bn bid to acquire the company.

In light of its latest disclosure, questions are now being raised about how the news may affect the deal, given Verizon went on record in October 2016 to say the previous breach could pave the way for it to drop its bid.

“It also emphasises the importance of purchasers understanding the security risks of target businesses and building in contractual mechanisms to adjust the price, or even allow them to walk away from the deal if breaches like these come to light before completion.”

“Clearly, the upshot of this is that we need to realise that it’s no longer a case of ‘if we’re targeted or unlucky’, but that we are all targets.”