Cyber security risks in smaller companies

From private individuals to huge corporations, anyone and everything is vulnerable to cyber attacks in today's fiercely competitive world of high tech. Small businesses in particular are vulnerable and are easy targets for hackers as they often do not have the financial resources to fund measures that would help protect them from hackers.

Just because a company is newly launched and not yet in profit, will not always deter attackers from targeting as many devices, services and users as possible for their own personal gain. It also happens that, on occasion, employees, contractors and business associates who have access to private systems can abuse their power to unlawfully access private data for their own gain. 

When team members are not sufficiently educated about the optimal security practices, accidents can happen to expose the company to hacking incidents. In addition, smaller-scale businesses can occasionally, either unknowingly or under coercion, grant larger corporations access to valuable information by providing unauthorised and illegal access to another business's internal operating environment. Another form of hacking, known as the ransom attack, can also be staged. In these cases, hackers threaten to publish highly personal or valuable data, or block access to data or a technological system by encrypting it until the affected business pays a disproportionately large fee before a set deadline.

How often do SMEs get hacked?

In the past year, 47% of small businesses in the UK experienced a single cyber-attack and 44% experienced more than one attack, with the average cost of one such hack being between £15,000 to £200,000. Such an expensive hack is often enough to fold most small enterprises. Contingency plans are essential in order to limit the amount of damage done as the result of an attack. Hackers are becoming more skilled in exploiting the network vulnerabilities associated with wireless networks and cloud-based storage systems. Many of these attacks go undetected for some time, resulting in catastrophic losses for companies, which as a consequence incur legal fees, compliance penalties, damage to earnings and irreparably damage to client relationships.

Steps to be taken to improve security

• Back up your files routinely, more than once a week. 
• Run ongoing security checks to assess any weak areas associated with your systems or the software you use that hackers could easily exploit.
• Use multifactorial authentication processes to ensure no fraudulent attempts are made at logging into your networks
• Use malware, firewalls and encryption methods to protect your personal and financial information.
• Keep your team as up to date with relevant security and information governance processes as possible. Invest in today to protect tomorrow.

The most coercive targeting attacks are known as ‘phishing’ attempts. On occasion, businesses are so focused on warding off this type of hack that they miss less obvious kinds of attacks. Hacking attempts can happen at any time of the day or night, originating from anywhere in the world. Awareness is key. Be aware of ‘drive-by Infections’; These tend to occur when individuals unknowingly download malicious code to a computer or mobile device, leading to a cyberattack. In this instance, no download, click-through or email attachment is used to infect a system and consequently identifying such hacks can be difficult. 

Scanning Networks for Vulnerabilities and Exploitation

A vulnerability scan is an automated, high-level test that deliberately targets known vulnerabilities such as the following:

• Brute force attacks. This hacking technique aims to hack passwords, login credentials and encryption keys. 
• Malware. (‘Mal’ as in ‘malicious’) Any aggressive form of software built to infect, weaken or corrupt a device, service or network. Hackers prefer to use this to isolate data that they can use to blackmail users for financial gain. 
• Ransomware. This is a type of malicious hack that threatens to release individuals' data online or encrypt data unless the victim agrees to put forward a ransom fee, the preferred currency usually being bitcoin.
• Distributed denial of service attack. A deliberate attempt to corrupt the everyday stream of traffic attached to a specific server, service or network by overwhelming a targeted system with a huge amount of internet traffic

How much should a small business spend on cybersecurity?

The significant impact of not protecting your business from cyberattacks is far more than simply financial. The damage to reputation affecting existing clients, potential leads, investors and communication to online audiences could quickly bring your business to a halt and undermine customers' confidence. Experts suggest that around 3% of a company’s annual income should be invested in cybersecurity to protect it from cyberattacks and the potentially ruinous consequences associated with it. 

Can ISO 27001 protect small businesses from cyberattacks?

ISO 27001 gives a clear signal to online predators that cybersecurity is an absolute priority to businesses. The Information Security Management Systems (ISMS) prioritises the integrity and reliable availability to the business of its data. The ISO 271001 offers a systematic risk-based approach that incorporates organisational processes and information governance to help address vulnerability to hacking opportunities and other forms of cyberattack. 

The main benefits of ISO 27001 for small businesses

• Safeguards information and refines security processes.
• Creates a bond that offers reliability, honesty and reassurance 
• Provides a unique selling point of a business 
• Observes and adheres to legal regulations, such as GDPR
• Assists in the conceptualisation and implementation of new systems and processes
• Minimises additional customer security audit requirements