The success of small businesses is crucial to any region’s economy. These businesses range from day care centers to medical practices, from convenience stores to hair styling salons, from the building trades to ambitious new entrepreneurs. Businesses of all sizes are prone to cyberattacks, but small and medium businesses (SMBs) often lack the resources of larger businesses to detect, prevent, respond to, and contain breaches and intrusion attempts.
Attacks against small businesses in the economy of the United Kingdom are big business for cybercriminals. According to the Federation of Small Businesses (FSB), there were 5.6 million small businesses in the UK at the start of 2018. Also as of that time, small businesses made up 99.3% of all private sector businesses, and 99.9% were small or medium-sized. The UK’s gross domestic product in 2017 was a whopping $2.622 trillion USD, or about £2,161 trillion pounds. Billions or possibly even trillions of pounds are at stake when British small businesses are attacked.
That’s why we should be concerned about the Federation of Small Businesses’ latest research findings. The Federation concludes that British small businesses are subject to nearly 10,000 cyberattacks per day. Let’s take a look at some of the numbers from the survey:
About 20% of their survey respondents say they’ve experienced at least one cyberattack between January 2017 and January 2019. And that’s only the cyberattacks that they’re aware of, as many go undetected. Survey respondents reported more than seven million cyberattacks over the course of those two years, which averages to 9,741 incidents per day.
The average attack costs a British small business £1,300 per incident, amounting to a collective £4.5 billion per year lost to cyberattacks in total. Again, I think this indicates the tip of the iceberg.
According to the report, phishing seems to be the biggest problem. 530,000 small firms reported phishing attacks during the two year period. The other most significant problems are malware with 374,000 incidents, fraudulent payment requests with 301,000 incidents, and ransomware with 260,000 incidents. Drawing back to look at the bigger picture, the majority of the reported malware was ransomware in this time period.
Ransomware is usually easy to detect because attacks involve showing their victims a ransom note to act upon. However, more covert malware is often getting missed by those focused on the headline-grabbing attacks. For example, subtle cryptomining malware is notoriously difficult to detect due to its often fileless nature, only affecting the RAM of infected devices. 2018’s GhostMiner is an excellent example of how cryptomining malware can easily evade detection. As reported by Catalin Cimpanu:
“The fileless technique has become quite popular with malware in recent years, allowing (threat actors) to run malicious code directly from memory, without leaving files on disk, hence fewer artifacts that classic antivirus engines could detect.
Further, GhostMiner also employs another advanced technique of hunting competing miners and shutting down their processes. The technique isn't new, as it's been used by another nondescript coinminer strain, but this shows that GhostScript's author has put a lot more thought into assembling his code than most other crooks.”
The huge volume of cyberattacks to British small businesses is worsened by their often-poor security measures. According to the FSB’s research, 35% of surveyed small businesses say they have not installed security software over the past two years. 40% don’t update their software on a regular basis. And only 47% have a strict password policy for devices. Who knows how many small businesses use passwords like “password” or “12345”? According to the UK's National Cyber Security Centre, the top ten most commonly used passwords involved in worldwide data breaches are:
If you see any passwords like these in your business’ networks, users should be notified to change them immediately. More importantly, strong cybersecurity policies mandate complex passwords. According to DigiCert’s Flavio Martins, strong passwords are at least eight characters long (but the more characters, the better), lack personal information like names and birth dates, are unique to other used passwords, and contain uppercase letters, lowercase letters, numbers, and characters.
FSB’s Policy and Advocacy Chairman Martin McTague shared these thoughts for people who are concerned about their research findings:
“The issue of business crime is overlooked too often – even more so of late in this climate of sustained political uncertainty and inaction. Meaningful steps must be taken to safeguard our small firms, and by extension the wider economy. More small firms are waking up to the threat of cybercrime. It’s a threat that’s evolving rapidly, but too many small businesses still lack access to the resources and budgets needed to contain it.
Software providers could also be doing more. Government should be prepared to step-in and require automatic patching and updates to be the default option for all software products.”
The Federal Communications Commission is an American governmental agency. But their tips for how small businesses can prevent cyberattacks is just as applicable to the UK as they are to the US. Here’s what they advise.
1) All employees should receive security training
“Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.”
2) Securing the software and data on endpoints is crucial
“Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.”
3) Firewalls should be deployed wherever possible
“A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system's firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.”
4) Don’t forget to secure mobile devices such as smartphones
“Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.”
5) Make lots of backups
“Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.”
6) Be careful about physical access to your computing resources and devices
“Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.”
7) Secure your WLANs
“If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router, so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.”
8) Get serious about your point-of-sale and payment processing security
“Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don't use the same computer to process payments and surf the Internet.”
9) Employ the principle of least privilege as far as data access is concerned
“Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.”
10) Deploy better authentication systems
“Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.”
The UK’s Federation of Small Businesses’ research findings should act as a wakeup call to small businesses everywhere to improve their cybersecurity. By following these tips, SMBs can protect themselves – and their staff – much better in years to come.