Jeremy Hendy, CEO of Skurio, the digital risk protection specialist, highlights the cyber threats facing small businesses and outlines the steps they should take to mitigate risk
Small businesses are prime targets for today’s cybercriminals. In 2021, 39% of small businesses and 65% of medium-sized businesses reported breaches or attacks to their systems, according to research from the Department of Digital, Culture, Media and Sport.
You may think your business will be one of the lucky ones or that it is too small to interest cybercriminals, compared to the public sector organisations and global corporations that make the headlines, but statistics show the dangers of this approach.
Figures published by Hiscox, the business insurer, reveal that small businesses are the target of 65,000 attempted cyber-attacks every day. And while most attempts fail, a small business in the UK is successfully hacked every 19 seconds. In its recent Cyber Readiness Report 2021, one in six businesses admitted they ‘almost went under’. Statistics from the UK Government’s Cyber Security Breaches Survey reveal that the average cost of all cyber breaches for businesses is £8,460.
Cybercrime isn’t simply a technological inconvenience; it has the potential to cause financial and reputational damage.
The pressure of remote working during the pandemic has made cyber security harder to manage for businesses of all sizes. Many small business owners who adopted new applications and cloud services and introduced or extended their use of Virtual Private Network access over the last two years are now continuing to work remotely or adopting hybrid working patterns, so it is critical their cybersecurity processes are in place and strengthened.
Know your enemy
Before I highlight the top threats facing small businesses and what steps you can take to mitigate risk, it’s important to present a picture of ‘the enemy’.
Banish the stereotype of a hacker or cybercriminal that you may have seen on memes or on social media, that of a twenty-something man in a hoodie, hunched over a computer in an attic. Cybercrime and fraud are big business and one of the fastest-growing sectors in the UK.
While criminal operations are well funded and have access to advanced technology to help them automate, accelerate and escalate their attacks, there are also individuals turning to cybercrime as an alternative to other sources of illicit income, such as drug dealing. With kits and tools widely available, it’s easy for these ‘Day Scammers’ to get up and running – and these operators are more likely to target small businesses and individuals. They could even be lurking within your own company.
To avoid being caught on the backfoot, businesses should think more like a poacher than a gamekeeper and understand how an attacker exposes vulnerabilities and why. Financial gain remains the primary motivation, but reputation and status are also drivers. Just as high-profile figures and celebrities seek column inches in the media to raise their profile, so cybercriminals look to gain credibility and kudos through their acquisition of data, which they then trade on the Dark Web to build their ‘star’ status.
So what are some of the threats that businesses need to be aware of in 2022?
- The Dark Web. There is still a mystique about the Dark Web and outdated perceptions about what goes on in this murky digital world – that it is simply a marketplace for guns, drugs and pornography. In fact, customer and company data, personal profiling information and passwords are becoming highly sought-after goods on Dark Web forums.
- Double-dipping ransomware. Beware of double-dipping ransomware attacks where hackers threaten businesses with exposing data on the Dark Web if financial demands aren’t met. Businesses that do pay up might still find that their data is sold or shared regardless of their payment, and any business that has paid up is more likely to be a future target. Strong data encryption is no defence here either, as criminals are prepared to play the long game. Some gamble that advances in quantum computing will help them extract data at some point in the future in a ‘steal now, hack later’ approach.
- Typosquatting. Malicious domains and ‘typosquatting’ techniques are on the rise. In these attacks, cybercriminals use malicious URLs to trick consumers into believing they’re in contact with a genuine brand or organisation before stealing their data, infecting them with malware or convincing them to buy fake goods and services. They register a name that looks similar to a genuine brand, with a small change that could be as simple as inserting a hyphen, changing yourbrand.com to your-brand.com for example.
- Third party breaches. We have inevitably seen an increase in third-party breaches due to today’s more complex digital supply chains. Data security and privacy regulations, such as the GDPR, specifically state that data controllers are ultimately responsible for any data that has been shared with others, meaning they could still face fines in the event of a third party breach.
Top cyber management tips
Being aware of and sensitive to the dangers outlined above and developing a security-first mindset is only a starting point. To really get ahead of the cybercriminals you should take the following practical steps.
- Make sure you have a robust cybersecurity strategy in place.
- All staff should receive regular cyber awareness training.
- Your business may be too small to justify a full-time cyber specialist, but make sure someone is responsible for cybersecurity or look to outsource your requirements. Managed security service providers recognise that small businesses don’t have huge budgets and can provide cost-effective solutions.
- Remote working offers many benefits but increases digital risk. You can lower this risk by employing a ‘least privilege’ access policy and introducing a robust backup and disaster recovery plan.
- Employees and contractors should have strong, unique password logins for different accounts, ideally using a password management tool.
- Take out some form of cyber insurance and undertake regular security risk assessments.
- Timely updates of security patches on computers are becoming even more crucial to protect systems. This is one of the most efficient and cost effective steps an organisation can take to minimise its exposure to cybersecurity threats.
Take control of threats on the Dark Web
- Introduce a Dark Web monitoring service through a managed service provider or specialist solution. This will alert you if your data is offered for sale or your business is mentioned by hackers or ransomware gangs. Using an automated tool is the safest, most efficient way to do this. Manual research requires skilled and experienced staff if you want to avoid the dangers of detection by criminals or inadvertent downloading of malware.
Malicious Domain Names
- Be proactive in identifying fraudulent web addresses that mimic your corporate sites. Make sure your IT staff look for ways to identify suspicious domain registrations and provide immediate alerts. If a suspicious domain is identified, you will need to establish whether a website or mail service has been set up. The domain can be used for phishing campaigns even if no site is present. Takedowns can be a challenge because scammers can use GDPR to retain anonymity and removals require justification, typically trademark/ copyright infringement or evidence of illegal activity. Using a specialist service is often advisable. Critically, this is about customer protection and reputation management.
- Early breach detection is critical when you use third-party suppliers. When you share your customers’ data with a supplier and they share it with theirs, it remains your company’s responsibility. You should continuously monitor for your data appearing outside your company’s network.
- Ensure third party network access is restricted to the absolute minimum necessary for their role, which will minimise the damage an attacker can do by compromising them. Strict processes should be in place around sending any kind of sensitive files outside the network to reduce the risk of copied datasets being leaked.
- Take control. One of the most effective methods here is to tag datasets with a type of digital watermarking known as a ‘breachmarker’. This takes the form of a unique, synthetic identity placed into a dataset among thousands of real people. Because it doesn’t exist elsewhere, you will know for certain that you’ve been breached if it ever shows up.
Continuous, automated monitoring can be deployed to constantly scan for this marker in open and closed web sources. If a threat actor posts the dataset for sale on a dark web forum or dumps it on a Pastebin site, the monitoring system will detect it and your company – the data custodian – will know exactly which dataset is compromised and can swiftly and accurately notify those involved and take steps to have the data taken down.