SMEs more vulnerable than ever to cyber security attacks

The overwhelming majority of cyber security attacks on small to medium sized enterprises (SMEs) result from poor password management, a study of 1,000 UK and US SMEs by the Ponemon Institute shows.

The overwhelming majority of cyber security attacks on small to medium sized enterprises (SMEs) result from poor password management, a study of 1,000 UK and US SMEs by the Ponemon Institute shows.

Despite this fact, SMEs are doing very little to boost visibility into the password practices of their employees, according to the study sponsored by password management firm Keeper Security.

The study report said employee negligence is the top root cause of successful data breaches.

“Survey respondents believe cyber attacks are becoming more targeted, more severe in terms of consequences, and more sophisticated,” said Larry Ponemon, chairman of the Ponemon Institute. “So you would think things would be getting better in terms of protecting themselves, but they are really trending to worsening.”

According to the survey – 61% of respondents reported a cyber security attack, up from 55% a year ago – while 54% reported a data breach, up from 50% a year earlier.

Ransomware attacks were reported by 52% of respondents, with 53% of those reporting they were hit by more than one ransomware attack.

The total costs associated with successful cyber attacks on SMEs now total well in excess of £1m, meaning a single attack could bring an SME to its knees financially.

Not only has the cost of data breaches risen to an average of just over £1.2m including all attack mitigation and business disruption costs from £717,909 a year ago, but the average number of records stolen has soared from just over 5,000 per attack last year to 9,350 this year – an 87% increase.

While 54% of respondents say the root cause of the attacks are negligent (not malicious) employees, a full third of the companies surveyed could not even determine the root cause.

An ongoing lack of attention to password usage underlies much of the cyber security woes at SMEs, the study said, referring to the latest Verizon Data Breach Investigations Report, which noted that 81% of all cyber attacks result from poor password management practices.

More information about SME cyber security risks

  • SMEs are failing to address cyber threats despite the risks.
  • SMEs typically face the same threats as bigger organisations, but lack the same level of expertise and other security resources.
  • The latest Ponemon research shows that 59% of respondents said they have no visibility into their employees’ password practices, which is unchanged from a year ago.

Among the bad practices cited are using the same passwords for access to multiple accounts and servers; sharing passwords in highly insecure ways; and failing to use strong passwords, settling instead for 123456 or other very easily compromised passwords.

Less than half – 43% – of SMEs surveyed have any sort of password policy in place. And of those that do have such a policy in place, 68% (up from 65% last year) said they either do not strictly enforce the policies or are unsure if they are enforced.

According to the study, SMEs need to implement greater data protection beyond the “traditional” protection tools, with two-thirds of respondents reporting cyber attacks that evaded the company’s intrusion protection defenses, up from 57% a year ago, and 81% reporting such attacks evading traditional antivirus defences, up from 76% last year.

The Ponemon study shows that the top barriers to adopting better cyber defences are a lack of trained security staff (73%) and inadequate budget (56%).

However, the report said given the enormous costs associated with a data breach, failing to protect against today’s dynamic threat environment could prove disastrous, and the costs associated with doing so may not be as high as imagined.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Business needs help to act on cyber security advice

Businesses need help to act on all the information they receive about cyber security according to the London Digital Security Centre,

Businesses need help to act on all the information they receive about cyber security according to the London Digital Security Centre,

Small businesses need help in tackling cyber crime and embracing cyber security, not just information, according to John Unsworth, chief executive of the London Digital Security Centre (DSC).

“Information is good, but action is better,” he told the Whitehall Media Enterprise Cyber Security Conference in London. “There is a lot of information, but businesses want help in implementing it.”

The London DSC was set up as a not-for-profit organisation in 2015 by the Mayor’s Office for Policing and Crime to help the city’s roughly one million small businesses protect themselves from cyber crime.

The centre is run as a joint venture between the Mayor of London, the Metropolitan Police Service and the City of London Police to protect small businesses that are at the heart of the economy.

“The point of the centre is to help businesses act on the wealth of information that is out there to take control of their cyber security by implementing controls that make a difference,” said Unsworth.

“Part of our role is also to cut through the noise and show businesses that the things that will make a difference for the majority of small businesses cost little or nothing to implement.”

Many of the things small businesses can do to improve their cyber security only have a cost in time and effort, said Unsworth. “Cyber security is not always about buying a technical solution,” he added.

Investments in security technologies depend on the size of the business, the business operating model and what the business is trying to achieve, he said. “So for businesses that handle sensitive information, there is a cost because they need to ensure that data is protected and demonstrate that they have a good security posture.”

The role of the London DSC is to identify and prioritise business needs in terms of cyber security controls, said Unsworth.

 

Underlining the need to support small business in the face of cyber crime, Unsworth said that although more than 50% of crime reported to police is cyber enabled in some way, only 0.1% of policing resources across England and Wales are dedicated to the prevention and detection of cyber crime.

This is symptomatic of the fact that not everyone recognises that cyber crime is a big problem and it tends to be under-reported, he said. “What we need to start doing is creating a little bit of evidence noise about what the issues are, so we can get the right type of response to all of this.”

 

“What we have got to change and shift is this behaviour, so what we have done is to set about getting face-to-face with small businesses and talk to them one-to-one rather than relying on social media campaigns to get businesses to take cyber security more seriously.”

“When you start speaking to them in simple language, they soon realise that all cyber security is really about is understanding what you are using, what you are connected to, and if you have got the right controls in place,” said Unsworth.

Small businesses in denial over cyber security threats

According to Unsworth, many small businesses are in denial when it comes to cyber crime – they tend to think it will not happen to them because they don’t understand why they might be targeted.

“We want to help businesses avoid the regret of not doing something that could have prevented a cyber attack by helping them to embrace cyber security and putting in appropriate controls,” he said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

National Cyber Securty Centre’s 2017 Annual Review

The National Cyber Security Centre (NCSC) celebrates its first anniversary of operations this week.

The National Cyber Security Centre (NCSC) celebrates its first anniversary of operations this week.

The Annual Review highlights the work it has done to make the UK the safest place to live and work online.

While there is still much work to be done, the NCSC’s first annual report says it has prevented thousands of cyber attacks since its inception.

The NCSC received 1,131 incident reports, with 590 classed as “significant”, according to the agency’s first annual review.

Those “significant attacks” ranged from attacks on key national institutions such as the National Health Service (NHS) and the UK and Scottish Parliaments, through to attacks on large and small businesses and other organisations, said Ciaran Martin, chief executive of the NCSC.

But, he said, so much of the NCSC’s work aims to make successful attacks less likely, and to that end the NCSC has so far produced more than 200,000 protective items for military communications; supported the Cabinet Office in developing more secure communications for key government organisations; and supported the Home Office in ensuring the security of new mobile communications for emergency services.

The NCSC, part of GCHQ, brought together elements of its parent organisation with previously separate parts of government and intelligence to create a single, one stop shop for UK cyber security, with the aim of making the UK the safest place to live and work online.

A crucial part of the NCSC’s role is to help everyone in the UK operate more securely online.

“Through a pioneering partnership with the private sector, tens of millions of suspicious communications in the UK are being blocked every month,” he said.

Martin highlighted the fact that the NCSC’s Active Cyber Defence programme has developed capabilities, which have seen the average lifetime for a phishing site hosted in the UK reduce from 27 hours to less than an hour.

He added that the NCSC’s information-sharing platform with industry, the Cyber Security Information Sharing Partnership (CiSP), grew 43% over the year.

However, he said the NSCS still has much to do in the years ahead to “counter this strategic threat to our values, prosperity and way of life” in collaboration with GCHQ and the UK intelligence community, law enforcement, wider government, industry and the rest of the world.

Martin said cyber security is crucial to the UK’s national security and prosperity. “We’re incredibly proud of what we have achieved in our first year, bringing together some of the best cyber security brains in the country in a single place.

“But the threat remains very real and growing – further attacks will happen and there is much more for us to do. We look forward to working with our partners at home and abroad in the year ahead in pursuit of that vital goal,” he said.

According to the review, tens of millions of cyber attacks are being blocked every week by industry partners implementing NCSC’s Active Cyber Defence programme

The programme currently includes the NCSC’s protected domain name server (DNS) service built by Nominet to block bad stuff from being accessed from government systems; the use and support of the domain-based message authentication, reporting and conformance protocol (Dmarc) to block bad emails pretending to be from government; and a phishing and malware countermeasures service to protect the UK, including government brands.

Similarly, while the number of IP-addresses associated with phishing around the world is up 47% this year, the UK share of those has gone down from 5.1% to 3.3%.