Cyber crime costs small businesses the most

New research has found that cyber crime is disproportionately effecting small businesses the most.

New research has found that cyber crime is disproportinately effecting small businesses the most.

The Federation of Small Businesses (FSB) has found that small firms are unfairly carrying the cost of cyber crime in an increasingly vulnerable digital economy.

The report Cyber Crime: How to protect small firms in the digital economy suggests smaller firms are collectively attacked seven million times per year, costing the UK economy an estimated £5.26 billion.

Despite the vast majority of small firms (93%) taking steps to protect their business from digital threats, two thirds (66%) have been a victim of cyber crime in the last two years. Over that period, those affected have been victims on four occasions on average, costing each business almost £3000 in total.

Cyber crime costs small businesses disproportionately more than big businesses when adjusted for organisational size.

Currently the responsibility largely falls on small businesses to protect themselves. FSB is calling for more support to be given to those smaller firms least able to bear the burden of the increasing global cyber threat.

Almost all (99%) of the UK’s 5.4 million small firms rate the internet as being highly important to their business, with two in three (66%) offering, or planning to offer, goods and services online. Without intervention, the growing sophistication of cyber attacks could stifle small business growth and in the worst cases close them down.

Mike Cherry, FSB National Chairman, said: “The digital economy is vital to small businesses – presenting a huge opportunity to reach new markets and customers – but these benefits are matched by the risk of opportunities for criminals to attack businesses.

“Small firms take their cyber security responsibility very seriously but often they are the least able to bear the cost of doing so. Smaller businesses have limited resources, time and expertise to deal with ever-evolving and increasing digital attacks. We’re calling on Government, larger businesses, individuals and providers to take part in a joint effort to tackle cyber crime and improve business resilience.”

The types of cyber crime most commonly affecting small businesses are phishing emails (49%), spear phishing emails (37%), and malware attacks (29%).

Small firms are also concerned about hacking and fraud when the card is not present, with the average information breach setting them back 2.2 days.

To combat this, four in five small firms (80%) use computer securing software, and well over half (53%) perform regular updates of their IT systems.

The FSB report also found room for small firms to improve security.

Currently just a quarter of smaller businesses (24%) have a strict password policy, four per cent have a written plan of what to do if attacked online, and just two per cent have a recognised security standard such as ISO27001 or the Government’s Cyber Essentials scheme.

Mike Cherry added: “Small firms are understandably focussed on building their businesses and creating the jobs which drive economic growth. The vulnerabilities of the digital world affects everyone and the responsibility for improving resilience should not be left to the group with least resource to do something about it.

Why are businesses ignoring cybercrime and cyber risks?

How can cyber security professionals help businesses to understand the cyber risks?

How can cyber security professionals help businesses to understand the cyber risks?

Business owners don’t like spending money on anything that doesn’t make them more money. Even insurance is a grudge purchase. I’m never fond of paying a high premium, but if there’s a risk that I could lose my livelihood and house if I fail to get the right insurance cover, then I accept that.

Mitigating cyber risk is exactly the same. If companies don’t do it, then they could go out of business.

But there’s definitely over-confidence in the space, and I often hear “well, it will never happen to us, we’ve just installed anti-virus on all of our laptops”.

So exactly how do you give the business that niggling feeling that encourages them to mitigate security risks? The reactive approach definitely isn’t the right way, demanding cash after something has happened to plug a hole.

The sales led approach isn’t the right way, where security suppliers force silver bullets down your throat and you end up buying something to help them meet their sales targets, regardless of how nice it makes your treasured server rack look.

It’s about taking a proactive stance, and dealing with cyber security before something happens; and being prepared to tell security suppliers where to stick their hardware if it doesn’t fit into your security programme.

I’ve never seen a business turn down a carefully prepared cyber security risk mitigation programme that fits the business. Fortunately, creating one is remarkably simple. Define scope. Carry out a security audit on said scope. Conduct a gap analysis, work out three costed options with pros and cons to address each gap, and present to the business.

But that still doesn’t mean the business will buy in. We’re missing that niggling feeling. Much as I dislike scare tactics, now would probably be a good time to think about them, with a short, sharp exercise that demonstrates to the business exactly what could go wrong in their cyber world.

Simulate a phishing email. It’s easy enough. Put an EICAR (European expert group for IT-security) malware test file on your CEO’s laptop. Take your CFO’s laptop away for an hour and simulate critical hardware theft. Leave a suspicious package in the mail room. Simulate a web server hack.

These exercises would take less than an hour of the board’s time and, while they won’t get the cheque book out, they will raise awareness over time. Throw in a few fire drills to keep their minds off cyber for a bit. Simulate a flood. The point being, over time, your business can become cyber-aware; and ultimately this loosens the purse strings and gets you that next hire and support for implementing change.

UK organisations not taking ransomware seriously

UK organisations are still not taking ransomware seriously enough and continue to fall prey to low cost, low risk cyber extortion.

UK organisations are still not taking ransomware seriously enough and continue to fall prey to low cost, low risk cyber extortion.Cyber criminals simply have to infect computer systems with malware designed to lock up critical data by encrypting it and demand ransom in return for the encryption keys.

The occurrence of ransomware attacks nearly doubled, up by 172%, in the first half of 2016 compared with the whole of 2015, according to a recent report by security firm Trend Micro.

Ransomware, the report said, is now a prevalent and pervasive threat, with variants designed to attack all levels of the network.

Ransomware is typically distributed through phishing emails designed to trick recipients into downloading the malware, or through app downloads and compromised websites.

The business model is proving extremely successful for cyber criminals, as many organisations are not prepared for it, and paying the ransom is often the best or only option open to them.

Two separate studies have revealed that universities and NHS trusts in England have been hit hard by ransomware in the past year.

A freedom of information request by security firm SentinelOne revealed that 23 of 58 UK universities polled were targeted by ransomware in the past year, but all claim not to have paid any ransom.

In a similar study by security firm NCC Group, 47% of NHS Trusts in England admitted they had been targeted, while one single trust said it had never been targeted, and the rest refused to comment on the grounds of patient confidentiality. Only one trust said it had contacted the police.

While ransomware writers were sometimes careless in the past so there was often a way to retrieve files,  that is seldom the case now, making preparation even more important.

Security firm Sophos has developed a whitepaper advising businesses on how to stay protected against ransomware.

Here are a list of best practices that businesses and public sector organisations should apply immediately to prevent falling victim to ransomware:

  • Backup regularly and keep a recent backup copy off-site
  • Do not enable macros in document attachments received via email
  • Be cautious about unsolicited attachments
  • Do not give users more login power than they need
  • Consider installing Microsoft Office viewers to see what documents look like without opening them in Word or Excel
  • Patch early, patch often because ransomware often relies on security bugs in popular applications
  • Keep informed about new security features added to your business applications
  • Open .JS files with Notepad by default to protect against JavaScript borne malware
  • Show files with their extensions because malware authors increasingly try to disguise the actual file extension to trick you into opening them

Small business risks cyber attack damage

Small businesses are underestimating the impact a cyber attack would have on their reputation and must take steps to protect themselves.

Small businesses are underestimating the impact a cyber attack would have on their reputation and must take steps to protect themselvesThe warnings come as a result of research published according to the findings of the Small Business Reputation and the Cyber Risk report, by the Government’s Cyber Streetwise campaign and KPMG.

Less than a quarter of small businesses cite cyber security as a top concern, but it’s of vital importance to consumers and within the supply chain.

The impact of a cyber attackbreach can be huge and long lasting, affecting brand, client retention and ability to win new business.

In the past few years there has been a rapid expansion in the development and adoption of new communications technologies which continue to transform Government, business and the ways in which we interact with each other. Cyber crime undermines confidence in our communications technology and online economy.

There were an estimated 5.1 million incidents of fraud and 2.5 million incidents falling under the Computer Misuse Act recorded last year (ONS, 2015). Add in recent high profile hacking cases and the issue of cyber security is now more important than ever.

Cyber Streetwise and KPMG surveyed 1,000 small businesses and 1,000 consumers across the UK to assess how small businesses feel about cyber security, how they are protecting themselves and the impact of a cyber breach on their reputation.

Key cyber security research findings:

  • Cyber security was cited as one of the top concerns by less than a quarter of small businesses (23%), yet it is fast becoming the only way to do business:
  • 83% of consumers surveyed are concerned about which businesses have access to their data and 58% said that a breach would discourage them from using a business in the future.

Recently published KPMG Supply Chain research supports this; 94% of procurement managers say that cyber security standards are important when awarding a project to an SME supplier and 86% would consider removing a supplier from their roster due to a breach.

UK small businesses value their reputation as one of their key assets. Yet they are hugely underestimating the likelihood of a cyber breach happening to them and its long term impact:

60% of small businesses surveyed have experienced a cyber breach, but only 29% of those who haven’t experienced a breach cited potential reputational damage as an ‘important’ consideration.

The impact of a cyber breach can be huge and long lasting. 89% of the small businesses surveyed who have experienced a breach said it impacted on their reputation.  Those who experienced a breach said the attack led to:
Brand damage (31%)
Loss of clients (30%)
Ability to win new business (29%)

Quality of service is also a risk. Those surveyed who experienced a cyber breach found it caused customer delays (26%) and impacted the business’ ability to operate (93%).

The full report was published at: https://home.kpmg.com/uk/en/home/insights/2016/02/small-business-reputation-and-the-cyber-risk.html

Cyber criminal activity by UK teens grows

More than 10% of UK teens say they know someone who has engaged in an illegal cyber activity, a survey has revealed.

More than 10% of UK teens say they know someone who has engaged in an illegal cyber activity, a survey has revealed.The survey was commissioned and published by security firm Kaspersky Lab to mark Safer Internet Day 2016 yesterday- which aims to promote the safe, responsible and positive use of digital technology for children and young people.

The survey also found that just over one third of respondents would be impressed if a friend hacked a bank’s website and replaced the homepage with a cartoon, and one in 10 would be impressed if a friend hacked the air traffic control systems of a local airport.

When asked how they would feel if a friend found their way into a celebrity’s online email account and discovered lots of private pictures, 18% said they would be impressed, and 17% would be impressed if a friend managed to obtain all the names and addresses of people who had bought adult films online.

More than a quarter of respondents said they knew how to hide their IP address, 41% said they knew about malware, 44% knew about phishing, 24% knew about distributed denial of service (DDoS) attacks, 17% knew about ransomware, and 13% knew about crypto-malware.

Recent research by the National Crime Agency (NCA) revealed the average age of a cyber criminal is now just 17, raising concern that youngsters are increasingly becoming involved in cyber crime, many of them unwittingly.

In the light of this finding, public awareness and understanding of the online behaviour of young people is vital, said David Emm, principal security researcher, Kaspersky Lab.

“It’s frighteningly easy for teenagers to find their way into the dark corners of the internet today as they explore and experiment or take their first steps towards making some easy money online by searching for tools and advice,” he said.

Once lured in, youngsters are vulnerable to exploitation by cyber criminals who use them to distribute and create malicious software or help launder funds from cyber crime, said Emm.

UK based criminals were the second highest originators of cyber crime attacks after the US in the second quarter, according to ThreatMetrix. Rising cyber crime suggests criminal law does not deter criminals and that a better legal solution is required to prevent further rises.

The survey also revealed misguided loyalty among teenagers. When asked what they would do if a friend was doing things online that could be illegal, more than half said they would tell the friend to stop, but would not tell anyone else.

One third said they would not get involved, 22% said they would ask about it but not join in, and only 21% said they would report it to the police.

The NCA recently launched a campaign aimed at preventing young people from becoming involved in cyber crime.

The Safer Internet Day 2016 campaign website provides guidance for parents and teachers on how to recognise signs of cyber criminal involvement and ways of encouraging the positive use of cyber skills.

Businesses warned to take action on Data Protection Day

This year Data Protection Day is warning businesses to do more to protect personal data.

This year Data Protection Day is warning businesses to do more to protect personal dataData Protection Day is an international holiday that occurs every January 28. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. It is currently observed in the United States, Canada, and 47 European countries.

Global businesses are re-evaluating their data privacy programmes this year as new privacy regulations targeted at businesses start to gather.

The European General Data Protection Regulation (GDPR), which is expected to come into force in 2018, provides for fines of up to 4% of annual global revenue or €20 million- whichever is greater for failing to safeguard data of EU citizens and residents.

However, despite the introduction of this legislation, many enterprises are still not doing enough to protect consumer data, according to security and privacy industry experts.

“Data privacy day is a great opportunity for organisations to re-evaluate their privacy programme,” said Tim Erlin, director of IT risk and security strategy for security firm Tripwire. “Privacy is often treated as part of larger security initiatives. While this approach addresses some key privacy issues, others may not get the attention they deserve.”

According to Erlin, the top five data privacy mistakes businesses make are:

  • Failure to keep only essential consumer data
  • Failure to encrypt customer data
  • Failure to secure access to data at all times
  • Failure to patch known vulnerabilities
  • Failure to monitor and control simple misconfigurations

Many organisations keep a lot of customer data in case they need it, he said, but it can easily become a major target for cyber attackers, and may not receive the same level of protection as business critical data.

The EU’s data protection rules will impact every entity that holds or uses European personal data both inside and outside of Europe.

More than two thirds of global companies expect EU data protection laws to dramatically increase costs of doing business in Europe.

Erlin said companies need to establish internal processes to keep data encrypted. “Leaving customer data unencrypted makes it much easier for attackers to grab.”

And while encrypting customer data is important, it must be decrypted for use in an application at some point, with attackers trying to compromise those applications so they can get to that data, Erlin warned.

Successful attacks are more likely to exploit vulnerabilities that are several years old if that gets them access to high value data. Patching systems isn’t glamorous but it’s essential to protecting data.

More than one of the security breaches that have been in the headlines recently has been the result of a misconfigured database or server, said Erlin. “If you’re not monitoring server configurations for change, you have a blind spot in your security that attackers can exploit.”

The UK’s Information Commissioner’s Office (ICO) has also highlighted the potentially devastating effect of reputational damage as a result of a personal data breach.

And it is not only the new privacy legislation in Europe and the US that is a factor. Lawrence Munro, European director at security firm Trustwave for Europe and Asia-Pacific, said the mounting number of breaches involving consumers’ financial and private data means that people are increasingly aware that their information is at risk, and much less willing to forgive businesses that betray their trust.

Munro said security professionals see “Password1” as the most common password year after year. “Such abysmal security presents an open door to hackers. Likewise, phishing scams over email and phone continue to trick droves of workers,” he said.

According to Munro, security in many organisations continues to be seen as a “box to be ticked” as cheaply as possible rather than an essential operation necessary for survival.

“Practices such as regular intensive network testing using real experts rather than occasional automated scans are crucial if businesses are to avoid the reputational and financial fallout of a breach this year,” he said.

Phishing cyber fraud up 21% reports police fraud unit

Cyber fraud linked to social engineering phishing attacks has increased by 21% in a year according to the City of London Police’s National Fraud Intelligence Bureau (NFIB).

Cyber fraud linked to social engineering phishing attacks has increased by 21% in a year according to the City of London Police’s National Fraud Intelligence Bureau (NFIB)Social engineering phishing is a non technical method of intrusion used by cyber criminals that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.

Typically, the aim is to trick people into malware laden email attachments or to divulge sensitive information that can be used to steal information and credentials to commit fraud.

The harvesting of account and login information is known as phishing and can happen through fake emails, phone calls, texts or social media posts.

Phishing attacks frequently involve piecing together information from various sources- such as social media and intercepted correspondence, to appear convincing and trustworthy.

The most common themes for contacting potential victims are an update to BT account details, an iTunes invoice and a tax refund.

Others themes include Tesco vouchers, Apple ID, accident injury claim, invoices, suspended bank and credit card accounts, and Sky services upgrades.

According to the government backed GetSafeOnline campaign, cyber criminals have become increasingly sophisticated in their attacks, with more than 95,500 phishing scams reported in the 12 months up to October 2015.

Research by GetSafeOnline reveals that 26% of victims of online crime have been scammed by these types of social engineering emails or phone calls.

According to the research, 29% of reported phishing emails contained a potentially malicious link that could infect a victim’s computer with malware, 17% requested a reply and 15% requested personal information.

The research notes that although the number of emails with malicious links is decreasing, requests for money transfers are on the rise.

In response to these findings, GetSafeOnline has launched an advertising campaign to warn of the dangers of social engineering, in partnership with Barclays, NatWest, Royal Bank of Scotland, Lloyds, Halifax, Bank of Scotland, City of London Police, anti-fraud organisation Cifas and Financial Fraud Action UK (FFAUK).

Phishing attacks are the most popular causes of data breaches in the enterprise. Phishing attacks on mobile devices are increasing as adoption of internet connected mobile devices and services grows.

Tony Neate, chief executive of GetSafeOnline, said social engineering is becoming ever more targeted and personal.

“What is worrying, however, is the complex nature of these scams and how they tap perfectly into feelings that make us panic,” he said. “If you get an email purporting to come from someone we trust, such as our bank, about something that is emotive to us all, like money, and then demand that we act urgently, it’s almost like the perfect storm.”

The newly launched advertising campaign aims to encourage people to think twice before they act and not to let panic override common sense.

The campaign highlights the importance of having strong passwords or pass codes to secure devices, and ensuring that all software and apps are up to date.

Research shows that email is the most popular channel for phishing, accounting for 77% of all reported incidents, followed by phone calls, making up 12% of incidents.