According to latest figures from the Department for Digital, Culture, Media and Sport the number of businesses that suffered a cyber attack or breach in the last year fell from 43% to 32%. For small businesses the drop was from 47% to 40%1.
The findings from the Cyber Security Breaches Survey 2019 suggest one of the main reasons for the drop is that businesses are becoming more cyber secure following the introduction of GDPR legislation – which can result in heavy fines in the case of a breach.
But there are also worrying trends. For micro and small businesses that have suffered breaches, the average number of days to deal with these has jumped from 1.9 to 2.9, and the average cost has risen from £2,310 to £3,6501.
Chris Lennon of Stackhouse Poland, an insurance broker shortlisted for the Cyber Broker of the Year award in 2018, is concerned about complacency: “When we talk to our SME customers, we often find they don’t consider themselves to be a primary target for cyber criminals, thinking it is mainly a ‘big business’ problem. But that couldn’t be further from reality.”
Larger businesses spend a lot more money on cyber risks, he explains, and they have removed a lot of the easy-wins for cyber criminals, who are increasingly focusing their sights on SMEs.
The survey shows that by far the most common type of breach or attack is due to ‘phishing’ (fraudulent emails or being directed to fraudulent websites). Among organisations suffering a breach, 80% have experienced phishing attacks1.
Gareth Davies, senior lecturer in cyber security in the Faculty of Computing, Engineering and Science at the University of South Wales, spends half of his time working with law enforcement agencies and private companies on cyber security. He says: “The trend is away from sending out a standard email to thousands of random people, and towards very targeted attacks, such as ‘spear-phishing’ or ‘whaling’.”
Spear-phishing is when hackers target a specific individual, often by impersonating another person or organisation. They will conduct in-depth research to make their impersonation credible – gathering names and job titles, details of projects being worked on, and the exact format of company emails. Then, an email will be crafted to a target who is likely to believe it is genuine (for example, someone who has previously corresponded with the person being impersonated, with the email perhaps referring to a current project being worked on), and tempt him or her to click on a malicious link.
Whaling involves targeting a very senior person in an organisation, often the CEO. Because their devices or areas of network access are likely to hold the most sensitive and valuable data, they are lucrative targets. They are also seen as soft targets, because CEOs sometimes lack in-depth technical knowledge, are very busy, and have to deal with a large number of emails very quickly – often making them less proficient in spotting a phishing email.
Gareth also warns of ‘homoglyph attacks’, which are on the rise. This involves a fraudulent email being sent from an address that mimics a genuine one, by replacing a single character with a near-identical Unicode character, for example pɑypal.com versus paypal.com (look carefully).
After phishing and impersonation, the most common causes of breach or attack are viruses, spyware or malware; and ransomware1. Chris says these hacking tools are being sold on the dark web and are applied on an industrial scale: “Today, a hacker is not someone wearing a hoodie, sitting at home trying to work out what your password is. Sophisticated criminals are using sophisticated algorithms to continually fire billions of permutations of passwords at your server.”
If SMEs want to make sure they are following best practice, Gareth says the best starting point is to go through the ‘Cyber Essentials’ certification programme run by the National Cyber Security Centre. For £300, a business’s security and resilience to cyber crime will be tested, recommendations made, and a certificate issued once the business is compliant2.
He believes implementing the recommendations often costs less than £1,000 for smaller businesses. The certificate covers the technical aspects of cyber security (how to secure devices, the use of firewalls and anti-virus software), as well as the human aspects, such as staff training (awareness of phishing techniques, understanding cyber-risks, what to look out for).
Businesses should also consider cyber insurance, which is purchased by only 11% of businesses in the UK1. Chris says that most of these are larger businesses. Very few SMEs purchase cyber insurance. Good policies will cover loss of revenue (for example, if an on-line shop is unable to operate), the costs of fixing the breach, and perhaps more importantly, access to a suite of response services, paid for and arranged by the insurer – such as forensic IT, public relations, and legal services.
Chris says: “Think of a cyber policy as a sprinkler. Like a sprinkler won’t stop a fire starting, a policy won’t prevent a hack. But it will help to minimise the damage.”
Businesses can speak to their St. James’s Place Partner to find out how to protect themselves against cyber risks.
1. CyberSecurity Breaches Survey 2019; Department for Digital, Culture, Media and Sport
2. Cyber Essential Online, May 2019