SMEs, Cyber Attacks, and Vulnerability

Reducing your risk to cyber threats

by Rasoul Amirzadeh

Cyber crimes can manifest in various areas of a business with long-standing effects and remain uncompensated. In contrast to many beliefs protecting a business from such attacks is not a very complex process. There are some simple, efficient, and affordable solutions that can help protect businesses and reduce the risk of cyber threats. 

Whether we read in the news that the director of the FBI puts tape over his laptop camera or we watch the ‘Shut Up and Dance’ episode of Black Mirror on Netflix, cyber crime is a very real and significant threat to all of us. Especially vulnerable are small and medium-sized enterprises (SMEs), who too often don't realise the breadth of exposure their business has to such malicious acts. The significance of cyber security is enormous. Contrary to belief, big corporations aren't the main target of hackers, scammers, phishers, etc. when chances are greater they'll be more successful infiltrating smaller businesses. Big or small, there are several simple approaches that can protect us from many online risks. This article briefly explains why cyber security is more important than we may imagine, why SMEs pay more cost and are more exposed to cyber attacks, and what businesses can do to limit their exposure to cyber harms.

At the organizational level, a cyber incident can manifest itself in a variety of ways:

• Physical harm: includes bodily injury or damage to physical assets (hardware, infrastructure, etc.)
• Psychological harm: includes depression or anxiety for instance, as a result of cyber bullying or cyber stalking.
• Cultural harm: best explained as an increase in social disruption. This type of harm represents a significant disruption to the social stability and cultural safety of a society, as described in University Oxford research paper: Cyber Harm: Concepts, Taxonomy and Measurement.¹
• Reputational harm: at organisational level reputational harm may result in customer loss, and at a personal level may cause disruption of personal life.
• Economic harm: manifests as financial loss.

Based on the Data Breach Investigations Report (DBIR), 43% of cyber attacks target SMEs, and only 14% of them are ready to protect themselves. According to the report by Hiscox, the average cost of a single cyber attack has tripled from USD4k to USD9k between 2018 and 2019 for a small business. In some cases it could be as high as USD200k. However, this is not the only cost of a cyber attack for an organisation. Research at the University of NSW (UNSW) business school is showing how directors are liable for cyber breaches in Australia and the risk of prosecution is more than their US counterparts. In Australia, although there is little authority at this stage for how regulators and courts will deal with the issue as it relates specifically to cyber risk, all directors and officers are responsible to ensure the appropriate risk management strategies are in place to protect the company and it shareholders.

The question here is why SMEs are the main target of cyber attacks. A simple analogy to consider, would it be easier for a thief to rob a diamond from a museum, or several shops with an open door at night. Basically, SMEs are the simplest target for hackers to exploit weaknesses instead of attempting to hack a secure and robust database. There are a couple of reasons why SMEs have poor cyber security.

• Being overconfident is one of the reasons. 85% of Australian SME owners believe they are safe as they have antivirus, the figures of cyber attacks show a different perspective though. Antivirus alone is not enough to protect an organisation from attacks.
• Another cause of poor cyber security in SMEs is that owners don't feel they have the time for understanding the complexities of security, or think it is a very resource-consuming subject, or it is difficult to implement a solid strategic plan for cyber security.
• The lack of staff awareness and knowledge regarding cyber security is another reason. Based on the IBM data breach report 2020, the increased amount of remote work, brought on by the recent pandemic, is a major security consideration. More than 70% of participants of a survey responded that remote work increases the cost of data breaches and they have concerns about it.

By all that’s mentioned above, it seems cyber security is a complex subject and it's pretty hard to achieve. Luckily, the good news is there are some simple measurements for understanding and implementing to avoid, or reduce the risk of the most common cyber security incidents. Some of the simplest and more applicable approaches for cyber threats are briefly introduced below with links to investigate further at the end of the article.

• In addition to antivirus software, implement Regular backups of business data, and Automatic updates of the operating system and software applications to protect against malware, or malicious access to the business' network.
• Be aware of phishing scams. They are not limited to just emails and are becoming more sophisticated. Be careful for Requests for money - especially if urgent or overdue, Bank account changes, Attachments, Requests to check or confirm login details. People also need to be careful of which browsers they use. According to Steve Spearman, Founder and Chief Security Consultant for Health Security Solutions, defending against these attacks requires a coordinated and layered approach to security:
   

  • Train employees to recognise phishing attacks to avoid clicking on malicious links. For example, if the domain of the link to which you are being directed doesn't match the purported company domain, then the link is a fake.
  • Many spam filters can be enabled to recognise and prevent emails from suspicious sources from ever reaching the inbox of employees.
  • Two factor authentication should be deployed to prevent hackers who have compromised a user's credentials from ever gaining access.

• Never pay for a ransom. Netflix's 'Shut up and Dance' episode is an excellent example of why ransom should not be paid. There is also no guarantee you won't be vulnerable to a second attack. Updating operating systems and software as well as regular backups are the approaches to cope with it.
• Mult-Factor Authentification (MFA) is one of the simplest but powerful tools to make it harder for criminals to attack a business. Two-factor authentification (2FA), such as a password and PIN is the most common type of MFA.
• Staff awareness training and regular testing is significant. Does your staff know about phishing? What would they do if a ransom happens to them? Do they have a secure strong password for the VPN at home? Employees need to be trained on security awareness so they are cognizant of the tactics of phisers, and understand the risks and how to avoid incidents.
• Access control allows business owners to decide who has access privileges, determine which roles require what access level, and enforce staff access control limits.

For more information on this subject, here are some informative websites:

https://www.cyber.gov.au/acsc/view-all-content/publications/small-business-cyber-security-guide

https://www.asbfeo.gov.au/resources-tools-centre/cyber-security

https://www.cisa.gov/national-cyber-security-awareness-month 

References and Sources
¹ Ref: Cyber Harm: Concepts, Taxonomy and Measurement, Ioannis Agrafiotis, Maria Bada, Paul Cornish, Sadie Creese, Michael Goldsmith, Eva Ignatuschtschenko, Taylor Roberts, David Upton, Saïd Business School Research Papers, University of Oxford, August 2016

Disclaimer
We are not responsible for views expressed on external links.

Image Credit
Teaser image 'Glowing Keyboard' by Philipp Katzenberger on Unsplash
‘Cyber Security' by Towfiqu barbhuiya on Unsplash