Posted on: 02 February 2017
What Small Businesses Need to Know
Every week there are news headlines about severe security breaches, international cyber disputes and devastating company hacks. In 2016, some of the world’s largest organisations were hoodwinked by hackers. Cyber criminals have penetrated the ‘impenetrable,’ from the National Security Agency to the FBI, and made light work of hacking some of the world’s most intelligent computer systems.
With most small businesses’ online security systems paling in comparison, it begs the question: how do small organisations protect themselves from the growth of cybercrime?
We have turned to some of the sector’s leading experts to help answer this question. From cutting-edge hacking techniques to sneaky cyber-scams, the experts have outlined the precautions businesses need to take in 2017.
The top 3 cybercrimes to watch out for in 2017
Seven out of eight experts on the panel confirmed that ransomware was one of the most common cybercrimes in 2016. Ransomware is malicious software designed to block access to a computer system, until a sum of money is paid. It is most often delivered via phishing and spear-phishing emails (see number 3). Increasingly, ransom payments are requested via bitcoin: an untraceable online currency.
James Scriven, Support Engineer at DMC Software, describes how this type of cyberattack taunts victims:
“This is software that literally holds the user to ransom by encrypting files on their machine, before dangling the encryption key before them as an incentive to splash out large sums of money”.
In recent years, ransomware threats have proliferated. From credential-stealing modules like one known as CryptXXX to “aggressive” file encrypts such as Locky, the various forms of ransomware demonstrate present-day cyber criminals’ agility, inventiveness and persistence when it comes to stealing data.
Stephen Wright, General Manager at Cyber Skills Centre, predicts the threat posed by ransomware will only get worse:
“Recently, the most prevalent and newsworthy attacks have been ransomware-based. In the coming 12 months, these will likely have greater sophistication and possibly move to also targeting households, individuals, and mobile devices”.
Another cyber security expert Dr Jessica Barker, is at pains to point out that victims’ co-operation does not ensure that files or personal details will be returned safely:
“Payment of the ransom does not guarantee the files will actually be unencrypted, and can actually identify you as a target for future attacks and unfortunately only encourages proliferation of the crime”.
2. Internet of Things (IoT) attacks
The recent success of Amazon Echo and Google Home have confirmed what experts have long predicted: the Internet of Things (IoT) is the future for technology in the home.
The Internet of Things is the concept that any device can be connected to an on-off switch to the internet, from our headphones to our washing machines. However as the IoT grows and the number of connected devices increases, experts expect that hacking activity related to the IoT will escalate.
Nicola Whiting, Chief Operations Officer at online security software company Titania.com, explains:
“It is predicted that 96% of senior business leaders will be using IoT by 2020 and, at the moment, this is one of the weakest areas in terms of security. IoT devices have no methods for patching vulnerabilities or controlling privileges, so they can be easily compromised by basic hacking techniques”.
Nicola explains that due to these vulnerabilities, IoT devices all over the world are susceptible to being hacked and used on-mass in Distributed Denial of Service attacks (when huge numbers of individual systems – usually hijacked - flood a website with traffic, causing its servers to collapse).
In October 2016, there was an instance when IoT devices were infected with malware and used to cause a widespread internet outage across the world in a (DDoS) attack.
“Regulation will need to catch up with technology, and it’s likely that minimum safety standards will eventually be introduced. For now, IoT devices pose a large threat to the security of businesses and consumers looking to use them, and should be approached with caution”.
James Scriven warns hacking could even extend to our kitchen appliances:
“Even appliances like microwaves and fridges can connect to the internet to perform various tasks for the owner. These devices are not immune to being hacked and many of them are insecure”.
Have you ever received an email from what seems like a trusted source who has asked you to download an attachment, or click a link? If so, it is possible the sender could have been a cyber-criminal attempting to infect your computer with malware. As Dr Jessica Barker explains, this is a common technique used by hackers:
“These emails look like they come from a legitimate source, for example a trusted institution, colleague or friend. They are tailored to the recipient and some appear very convincing and sophisticated”.
“In 2017 we will see a continued rise of spear-phishing emails. Many of these will focus on so-called ‘CEO Fraud,’ in which a member of the finance department receives an email that appears to come from the CEO, requesting an immediate transfer of funds to a bank account, the details of which are included in the email.”
This technique is so effective that it was used by thieves who stole $46.7 million from Ubiquiti Networks in 2016. However, there have been many reports of SMEs being targeted in this way too – often due to a lack of training and awareness at that level.
Russell Hargreaves, Network Support Engineer at DMC Software, argues that it can be hard to eliminate these emails from our inbox:
“These emails appear to be genuine on the face of it, which makes them hard to detect at the spam filter”.
What can small businesses do?
While large companies often grab the cyber news headlines, it is – unfortunately - usually small businesses that bear the brunt of most cyberattacks. In part, this is because small businesses tend to have more limited security than larger enterprises and more digital assets than individual consumers. In today’s digital climate, every small business should put the necessary precautions in place.
SMEs can be worth a hacker’s time
Robert Hadfield, Technical and Training Director at getsafeonline.org, believes small businesses’ naivety can make them easy targets: “They [small businesses] don’t feel that they have anything that is worth stealing and yet, lots of small businesses have intellectual property that they may not realise has a lot of financial value”.
Train staff to be vigilant of spear-phishing and avoid using USB sticks
Daniel Driver, Head of Perception Cyber Security at Chemring Technology Solutions, thinks small businesses need a “sensible approach to cyber risks” and should begin by “training staff not to fall for phishing schemes.” He says:
“Combined with some basic IT policies, such as restricting access to certain data to only those that need it, and not using USB sticks (hackers drop infected sticks in public places for unsuspecting, helpful or just curious people to pick up), will save most businesses from the majority of common attacks. From there on, you can get away with not resorting to multi-million-pound firewalls with all the bells and whistles, so long as you make sure you have the ability to carry out some network security basics”.
Put a response plan in place
According to Stephen Wright of the Cyber Skills Centre, training should extend to knowing what to do if the worst happens.
“Don’t forget to be prepared for a breach. Know who to call, how to reassure your customers and your staff, and how to get back on your feet swiftly.”
He says that cyber security firms should be “big enough to have the right protections in place, have a convincing incident response plan, and be able to demonstrate it with a certification”.
Get a free cyber security risk assessment
For those worried about straining budgets, Nicola Whiting of Titania suggests utilising information that is already widely available:
“Small businesses with a limited budget can stay protected. The UK Government has launched the industry-supported Cyber Essentials scheme, which reduces risk and contains simple steps business owners can follow to make their systems more secure. Business owners can then complete a free cyber security risk assessment to find vulnerabilities and fix them easily”.
The future of cybercrime – what’s on the horizon?
Your work fridge could be used against you
As they look into the future, experts are already making predictions about how cybercrime will develop and change. While there are different theories about what might be possible, experts agree that as the Internet of Things expands, our vulnerability to cybercrime will continue to grow.
Lee Munson, Security Researcher at Comparitech, says:
“In the years, maybe even months, to come, the next big thing in internet threats will be distributed denial of service (DDOS) attacks on a scale never seen before. With the volume of Internet of Things devices on the market today, most of which have no security measures in place, vast botnets of cameras, TVs and fridges will arise, under the control of nefarious individuals who will leverage them to take down even the biggest sites on the internet”.
Rise of the machines
Stephen Wright of the Cyber Skills Centre asks us to imagine scenarios that don’t directly cause physical damage, such as “every traffic light going to green simultaneously, water supply interrupted, rolling blackouts, or emergency services switchboards being purposefully jammed.”
While it’s difficult to imagine our kitchen appliances and household objects being manipulated by hackers, it is entirely possible these criminals could instruct our devices to cause hazards in the home or office.
Russell Hargreaves of DMC explains: “An example of this could be an internet-connected kettle instructed to boil water, but not cut out when the water reaches the correct temperature, causing a fire risk.”
This was reiterated by Dr Jess Barker, who conjures a dystopian vision of the future: “we can expect to see everything from locks to lights, and cars to refrigerators coming under attack.”
A.I. – a genuine threat to our safety?
Artificial Intelligence (AI) is another area in which experts believe we will see technology make great strides. While this is heralded by many as offering solutions for cyber security, Dr Jessica Barker is concerned that floodgates will open:
“From an attacker’s point of view, artificial intelligence also represents an opportunity, for example with the potential for malware that learns about the victim’s environment and evolves to evade defences and detection. Cyber security is about the interaction of humans and machines and, with the rise of artificial intelligence and machine learning, that line is due to get blurred even further”.
With advanced technology at hackers’ fingertips, we could have scenarios in which an attacker gains access “to a critical system,” warns Stephen Wright.
He explains: “We often think of fingerprint or retinal scanning being the ultimate passwords, but combine high-quality photography with advanced 3D printing and there’s no reason someone couldn’t copy your fingerprint just by taking a photo of your hand in just the right position”.
Whatever the future holds for cybercrime, one thing is certain: businesses, both large and small, will need to have comprehensive security strategies in place if they want to protect their greatest assets.
Protect your business
While many high profile cases have been brought into the media spotlight little has been discussed around the risk of attacks on small businesses. With cybercrime now becoming more targeted, increasing numbers of SMEs in the UK are investing in cyber liability insurance to protect their exposures, as well as taking preventative measures in house to minimise the potential impact of cybercrime. For advice on cyber liability insurance, speak to our business insurance experts today on or request a call back.
Thank you to the panel of cyber security experts:
Rob Hadfield - Technical and Training Director at Getsafeonline.org
Dr Jessica Barker - Owner of cyber security consultancy firm J L Barker Ltd and owner of Cyber.uk
Nicola Whiting – Chief Operating Officer at Titania.com
Stephen Wright – General Manager at National Cyber Skills Centre
Daniel Driver - Head of Perception Cyber Security at Chemring Technology Solutions
Lee Munson - Security Researcher at Comparitech.com
James Scriven - Support at DMC Software
Russell Hargreaves - Network Support Engineer at DMC Software
The information and tools contained in this guide are of a general informational nature and should not be relied upon as being suitable for any specific set of circumstances. We have used reasonable endeavours to ensure the accuracy and completeness of the contents but the information and tools do not constitute professional advice and must not be relied upon as such. To the extent permitted by law, we do not accept responsibility for any loss which may arise from reliance on the information or tools in our Insight Hub.