The rate of targeted attacks on big businesses has fallen as cybercriminals shift their focus to smaller businesses, according to the June 2012 Symantec Intelligence Report. The research showed that while targeted attacks on SMEs rose from 11% in December 2011 to 36% now, attacks on large enterprises are falling.
We take a look at the top cyber threats facing SMEs in the UK:
Phishing and Spear-Phishing
You receive an email from the HR department at work inviting you to download the latest rules and regulations. It has the company logo, the names of all of the right people and seems legit. Do you download the attachment or click the link?
This is how spear-phishing and phishing works. Cybercriminals retrieve email addresses and company information to use in spam emails which then trick the recipient into believing that the email is from a trusted source, in order to gain even more information.
The latest Symantec research reports that one in around 467 emails was identified as ‘phishing’ globally. In the UK this rose to one in around 286.
Phishers can use highly-targeted falsified emails to either encourage you to open a document or click a link which would then download malware onto your system (usually without you knowing) or request information that they can then use for nefarious means.
How to protect against it? One of the key things to remember is that individuals within organisations, including your own, will not ask for sensitive information over email – for example, the bank will not send an email asking you to verify your bank account number and sort code. If these requests do land in your inbox, alarm bells should ring and no information should be sent.
Spreading this message throughout the company is the key factor to security. As we know from the Dropbox vulnerability one weak link – like an employee recycling a password – can lead to a big vulnerability across the company.
A security policy should outline best practice for your employees, with the key message being “If in doubt, don’t click!”
Bring your own device policies may seem like a cost-effective method for small businesses and their employees to have the latest technology and tailored usability, but what about the risks?
More than 95% of SMEs already allow personal devices to connect to internal systems, but few are fully considering the risks. Personal devices are not locked down by the company so could be infected with malware that could then infect your network, or could be used to download databases full of sensitive company data. Further risk comes in the form of overloaded networks – is your infrastructure ready for the extra capacity needed to cope with devices connecting via wireless, wired, VPN and WAN?
How to protect against it? The risks associated with BYOD can be reduced dramatically with proper planning. Establish the demands that will be put on the network and have a plan of action ready. Design a ‘code of conduct’ for employees, ensuring that they have appropriate malware and spyware protection on the device and lockdown areas of the network that you do not want accessible to these devices.
The internal threat
As smaller businesses have less resource to invest in in-house IT expertise, the risks posed by employees rises. Lack of cyber security awareness can lead to team members connecting an infected USB device that then infects the internal network, without realising. Or clicking a link within an email which installs spyware onto the system that allows hackers to track every move made on the computer or even network.
And then there is the threat posed by disgruntled employees who may maliciously infect a system, or download full databases of data onto a USB drive or smartphone to share elsewhere.
The internal threat is the biggest cyber threat faced by small companies that do not educate their employees on the importance of safe and secure computing.
How to protect against it? Having regular training sessions to educate the team on best practice – simple ‘what to and what not to do’ training to drive the message home. Having a checklist of how to stay safe online is a simple way to give employees a basic set of rules to protect your business.
What small businesses must be aware of is the threat that they pose to the bigger businesses they work with. Hackers are increasingly targeting SMEs that pose a vulnerability and a ‘way in’ to big corporations.
For example, a small firm may have their email hacked, handing the cybercrime details of the large enterprises that they supply, who the large company’s contact is and what they buy. This information can then be used in spear-phishing attacks on the big businesses.
This is just one example of how hackers can use small businesses as a stepping stone to attack large businesses that have greater resources to steal.