Lack of Security Has Cyber-Criminals Turning to SMEs

Written by

Contributing £1.6 trillion to the UK economy each year, and making up 99.3% of the nation’s private sector business, small to medium-sized enterprises are impossible to ignore, whether you’re a business consultant, a consumer or a cyber criminal.

The amount of cyber-attacks being carried out against SMEs is stunning; in 2014 alone, 92 per cent of attacks targeted SMEs. Even more shocking, few of these companies are taking the risk of cyber-attacks seriously, with 82 per cent believing they are too small to be targeted.

The Federation of Small Businesses says otherwise, estimating the annual amount of attacks against smaller firms to be around seven million and the cost to the UK economy to be a staggering £5.26 billion. The individual costs of these attacks are growing as well. A survey published by Digital Economy Minister Ed Vaizey found that a single attack in 2015 could cost a company as much £310,800, a substantial increase from the 2014’s high of £115,000.

While some SMEs (approximately 23%) have caught on to the potential risk posed by cybercrime, too many are still relying on outdated technology that only provides perimeter security, completely ignoring file-based threats. As these sorts of attacks make conventional security methods utterly useless, an increasing number of hackers are seeing them as their most valuable tool. According to a survey by the Institute of Directors, nine out of ten business leaders believe that cyber security is important whilst only half had a formal strategy in place to actually protect themselves from threats.

File-based threats

File-based attacks involve the use of malicious code, hidden within common file types and launched via email messages. The potential of a file-based threat is only constrained by the ingenuity of the hacker, and history has shown, time and again, the catastrophic effect these corrupted files can bring when they gain access to an enterprise’s systems.

The few SMEs who have woken up to the threat of cybercrime still stand little chance against these file-based threats. Many companies are still relying on costly perimeter security solutions, such as firewalls and email scanning, which are only effective against widely-known threats. Furthermore, these defences rely on incremental updates to remain effective against attacks, though they are often one step behind the hackers.

File-based attacks are responsible for 94% of breaches across all businesses, and this figure continues to grow each year. As a result, many businesses are losing faith in their current security solutions, as well as supposed “new solutions” such as sandboxing, and moving towards more innovative approaches.

Social engineering

The most well-trodden route into a company’s systems is through their own employees. By using well-practiced social engineering methods, hackers can turn an organisation’s own staff into unwitting accomplices. Alarmingly, 88% of breaches include the use of social engineering.

Ammunition for these types of operations is shockingly easy to acquire. Cyber-criminals will typically find this information from a number of sources, such as files from the company’s official website that have not been cleaned or files that have been intercepted during exchange. This information can be used to identify user IDs, server paths, software versions and even employee reference data.

With this information on hand, it’s relatively simple for a hacker to forge a convincing email to an employee, posing as a trusted contact and duping the employee into opening a link designed to send a zero-day exploit, to be activated at a later date, straight into the company’s system. With this in mind, it is vital that companies keep this information out of the wrong hands, ensuring any data leakage is prevented.

The urgency of cybersecurity

With the European General Data Protection Regulation (GDPR) set to come into effect next year, preventing file-based attacks is more urgent than ever for businesses with operations in the EU. The new law will impose increased penalties and fines to businesses which fail to protect data adequately, or are subject to a breach.

Although the GDPR gives some leeway to SMEs deemed to pose a smaller risk to the privacy of citizens, even “one-man bands” will be expected to be fully compliant with the regulations. They must manage their data just as closely as their larger counterparts, avoid introducing unnecessary privacy risks and consider the risks their business practices pose to the privacy of their customers.

To ensure they can live up to the upcoming regulations, SMEs must turn towards a solution based on file-regeneration, one that guarantees total security and full protection against the most common form of cyber threat and can do so without compromising the speed and efficiency that businesses require in order to deliver their clients and customers a competitive service.

SMEs would be wise to adopt managed service solutions; one which is adapted specifically for smaller businesses and takes into account the growing threat posed by file-based attacks. These solutions allow SMEs to achieve full protection from threats in a cost-effective manner, and place the burden of risk on the shoulders of a third-party.

With both the GDPR and cyber-criminals casting their eyes on SMEs, it is more urgent than ever for these enterprises to look beyond conventional perimeter security measures and adopt a proven security solution that can protect them from the most common and volatile attacks.

What’s hot on Infosecurity Magazine?