It’s rare for even a few weeks to pass without a major corporate IT security disaster hitting the news. Understandably, it’s the big names which make the headlines, either due to the impact on their customers who’ve had their data stolen, or because it’s a high-tech company which ‘ought to have known better’.
But behind the scandalous headlines there’s a less visible, but arguably more serious, problem – the effect of cyber crime on small businesses.
The painful truth
A recent study by the Federation of Small Businesses offers some truly worrying statistics. A massive 66 per cent of small businesses have fallen victim to cyber crime, with an average of one attack every 6 months. The annual cost to small businesses totalled £5.26 billion (2014-2015).
It’s easy to see how this situation emerged – small businesses are reliant upon IT, but often lack both the funds and the awareness to meet modern cyber security standards.
Outside of dedicated tech start-ups, the IT setup for small businesses tends to evolve in a haphazard fashion, rather than being strategically planned. Money is tight, so is spent on enabling growth, not on contingencies for what are perceived to be distant threats.
Hackers’ behaviour is fairly consistent. First, they find a weakness in the target system’s outer shell, and use it to gain entry. Once inside, they hunt around for any particularly juicy bits of data such as login credentials which let them propagate their attack and access a greater portion of the system. Finally, having gained the required level of access, they unleash the real attack – data theft, installation of malware / ransomware, deliberate damage, or all of the above.
From our observations of how hackers operate, we can see that IT security needs to be holistic – a robust ‘outer wall’, with solid defences throughout to stop an attack in its tracks. Clearly, a ‘patchwork’ IT system is vulnerable at every level.
Indeed, the most common reported type of cyber crime, affecting 76 per cent of victims, was ‘phishing’ – fraudulent emails which obtain personal or financial data from victims. This represents an easy breach of the security outer shell, and rather suggests a lack of fundamental security awareness amongst employees of small businesses.
Whose fault is it?
An IT security breach has short and long term ramifications. After the initial time and money lost due to business disruption, there is reputational damage which can be much harder to recover from. Finally, the damage and disruption ‘ripples’ beyond the victim itself to the rest of the supply chain.
On the one hand, it could be argued that it’s each business’s responsibility to look after its own turf. However, SMEs are vital to the UK economy – 15.6 million total employees (60 per cent of the entire private sector), and annual turnover of £1.8 trillion (47 per cent of total private sector turnover). This would rather suggest that the Government should be taking a keen interest in threats to the SME sector. Alas, the official response is somewhat muted.
On Gov.uk, the UK Government’s information portal, I explored the ‘Business and self-employed’ section. There’s plenty of financial information – debt, bankruptcy, tax, employee benefits – along with sector-specific information for farming, energy, manufacturing, maritime, and scientific research businesses. The only cursory nod to IT security is an apparent afterthought: ‘Sale of goods and services and data protection’, which lacks any practical IT-related information. The sections dedicated to starting a business also fail to say anything about IT security.
This lack of emphasis on cyber security is reflected in the statistics regarding small business’s IT resilience measures:
80 per cent use computer security software – so 20 per cent have no defences at all
61 per cent performed regular backups – so 39 per cent could easily lose all their current data following a single incident
Only 20 per cent trained staff in good IT security practices – human error can easily invalidate any technical security measures, no matter how sophisticated
Only 5 per cent sourced advice from the Government’s IT security schemes: ‘Cyber Streetwise’ and ‘Get Safe Online’
Only 4 per cent had a written contingency plan with concrete action following a cyber attack
This all suggests that the Government could, and indeed should, do more to raise awareness of both vital IT security measures, and their existing schemes, amongst small businesses.
Increasing awareness isn’t enough
A cyber attack doesn’t just affect the intended target. On a technical level, DDoS (Distributed Denial of Service) attacks, where the target’s web server is flooded with traffic so that it is unable to serve genuine users, can cause collateral damage by bringing down other sites on the same server, or sharing the same network connection. Also, a security breach within one company’s network can serve as the entry point for a hacker to gain access to suppliers’ networks.
But more broadly, businesses do not exist in isolation – they are mutually dependent entities within highly interconnected supply chains. Damage to one entity necessarily cascades to the others.
A holistic approach, considering all individual IT networks and the links between them, is required for comprehensive end-to-end security. Here, Government needs to play a greater role in ensuring that those entities within the chain who possess the greatest security resources – the large businesses, and the Internet Service Providers – help those without the technical resources or knowledge to strengthen their defences. That way, everybody wins (except the hackers!).
A touch of pragmatism
Sounds great in theory, but what about in practice? How can Government act as a facilitator of ‘holistic security’? The law enforcement processes relating to cyber crime are still immature, and it is difficult to identify and prosecute those responsible.
The resultant risk-reward ratio for cyber criminals is consequently a little too favourable. More prosecutions would provide a disincentive for aspiring cyber criminals, as well as achieving the goal of greater awareness of the threat.
Regulation is a tricky area – given that lack of resources is a key driver of poor IT security for small businesses, imposing more red tape on them would be counterproductive. Taxation as an ‘incentivisation tool’ shares the same problem. Carrot rather than stick seems more appropriate, and there is in fact the current Innovation Vouchers scheme for cyber security. However, this is currently limited to the purchase of consultancy, so its broadening to include the purchase of security hardware and software would be a positive step.
One area where the Government is taking positive steps is apprenticeships. The launch of two cyber security focused apprenticeships – Cyber Intrusion Analyst & Cyber Security Technologist – is a fantastic avenue for small businesses to fund the training of new or existing staff. Especially important as the industry itself faces a widening cyber security skills gap.
The Government has made available a huge pot of funding. With small businesses able to access a maximum contribution reaching £18,000, when they themselves contribute £9,000. Additional incentives include £5,400 for 16-18 year old and £2700 for successful completion. There is also a small businesses (less than 50 employees) only benefit offering and additional incentive of £2,700. All in all, small businesses could access up to £28,800 per apprentice to invest in cyber security training.
In short, there is no easy solution and no quick wins. The best, and perhaps only, chance for small businesses to beat the threat of cyber attacks once and for all is a paradigm shift amongst both the private and public sectors, to regard IT security as a collective responsibility.