Small firms are easy target for cyber crime, says hacker

I was recently asked to contribute to a BBC article on the risks of cyber crime for small businesses. The article features quotes from a hacker who admits that small businesses are ‘fair game’.

You can find the full article on the BBC Business News site here – Small firms are ‘easy target’ for cyber crime .

The BBC article is right to highlight the dangers to small firms as well as large. Research from Symantec shows that since the beginning of 2010, 40% of all targeted attacks have been directed at small and medium-sized businesses, compared to only 28% directed at large companies. Worrying statistics. If you run a small business here are answers to some of the questions you might well be asking:

Question: Where are the key flash points for small firms in terms of technology security?

Answer: The consumerisation of IT, bringing your own device (BYOD) to work, the cloud and the rise of social media are the things small businesses should be concerned about. Yes, smartphones and tablets make life easier (and they’re cool), and allowing your staff to bring in their own devices for work purposes along with cloud based services makes doing business cheaper but there is a downside if your company has valuable information stored on these devices. Social media brings opportunities for business but also risks. There are no easy answers to balancing the need for efficiency and securing valuable data. It’s all about risk and business leaders need to think through what is acceptable in the context of their business operations.

Question: Who is likely to attack businesses and why?

Answer: High value information is what an attacker will be looking for but what constitutes ‘high value’ depends upon the business and the attacker. The Cost of Cyber Crime, a report by Detica and the Office of Cyber Security and Information Assurance identified the cost of IP theft and industrial espionage at £17Bn per annum for the UK so any small company involved at the cutting edge of technology is certainly a target from cyber criminals who will profit from stealing new ideas.

But it’s not just the techie SMEs that need to be concerned, companies processing peoples credit or debit card details need to protect the processing and transit of that data within their network. Credit card fraud is down again this year but it’s unlikely that the cyber criminals will stop attacking as obtaining and selling on card details from poorly protected companies is relatively easy work.

At the end of day whilst there is little understanding of cyber crime and cyber attacks for the majority of the population, cyber criminals will exploit this and cyber crime will continue.

Question: What impact do such attacks have?

Answer: In the main an attack impacts a company’s finances or reputation. A small start up technology firm that has its ‘about to be patented design stolen’ could go bust almost immediately. The mature company that trades on innovation may see a reduction in sales over a longer period of time. In between these extremes there are a myriad of scenarios but in general the impact is to the financial standing of a company.

Diginotar, the Dutch based certificate issuing authority, went bust as a direct result of their information loss, as an IT company involved with ‘security’ Diginotar’s reputation was irreparably damaged by the incident. But not all companies suffer catastrophic impacts; TKMaxx share price was not affected at all when they had 100,000’s of card details stolen, but that was a few years ago. There is ever more awareness of cybercrime and people may be less forgiving of large companies being victims of cyber-based attacks. The network attacks on Sony PlayStation and RSA both cost significant amounts to rectify but their long-term future was not in jeopardy.

“The UK is pushing for a knowledge-based economy keeping hold of that knowledge becomes paramount if we are to succeed in the global economy.”

Question: What steps should small firms be taking to protect themselves?

Answer: This falls into two categories; understand what and where your valuable data is and then do something to protect it. When protecting your data, if nothing else do the basics. Passwords, patching, anti-malware, access, admin rights, firewalls, and encryption – basic security controls can prevent 80% of all cyber attacks.

See our previous article – Protect your systems from cyber threat with seven basic security controls .


Article by Dave James , MD of Ascentor.

Other articles you might like

You may also be interested in:

Work from home cyber security myths

Cyber security myths home workers fall for

Home workers are a growing gateway to your data and systems. If they believe any of these popular cyber security myths, your security is at serious risk.

Cyber security working from home

Managing good cyber security when working from home - what employers need to know

Home working carries increased security risks, but it doesn’t have to be open season for cyber criminals. These tips will help you put together a robust level of cyber security for your home based employees.

Cyber Essentials is changing - our overview

As the IASME Consortium takes over the management of the certification of Cyber Essentials (CE) Scheme, we look at what the changes will involve and why the scheme is still very much needed.