According to the Department for Digital, Culture, Media & Sport’s Cyber Security Breaches Survey 2022, 39% of businesses and 26% of charities report having security breaches or attacks in the last 12 months.
There are many examples of global companies that have suffered cyber attacks. In 2020, the ICO issued its first fine under the new GDPR, slapping British Airways with a £20m fine for a data breach that affected more than 400,000 of its customers. Yahoo, one of the more infamous victims of cyber attacks, has been hacked three times. This is despite both companies’ extensive resources.
Naturally, it becomes even more challenging for SMEs to compete and maintain the same standard of caution. Hiscox estimated in 2018 that while most attempts fail, a small business in the UK is successfully hacked every 19 seconds. This represents a monumental problem. And cyber attackers have only become even more sophisticated as they hunt the most vulnerable and lucrative prey.
The Covid-19 effect
It’s not an exaggeration to say that COVID-19 radically transformed the world of work. Most UK businesses were forced to adopt remote working for the first time, and a high majority have decided to stick with it – on either a permanent or hybrid basis.
This move has brought with it heightened cybersecurity risks. For one, behavioural challenges include employees believing they can get away with riskier behaviour like sharing confidential files via email instead of more secure, safer channels when away from senior eyes. In addition, the likelihood of working on insecure personal devices and/or networks massively increases when working from home.
Secondly, some organisations were forced to adapt their business quickly. Their target customers – both B2B (businesses) and B2C (consumers) – became solely “digital-purchasers” overnight. As a result, organisations had to pivot their operations to provide more goods and services online, raising e-commerce’s share of global retail trade from 14% in 2019 to about 17% in 2020.
However, the growth of online activity also increases the potential for cyberattacks. Hackers took advantage of this treasure trove of new personal data that was being fed into eCommerce sites i.e., email addresses from customer’s sign-ups, card details during purchasing, addresses for delivery and even passwords for log-ins or date of birth for age validation. This data means eCommerce sites have an even larger target on their back.
No small phish to fry: The consequences of a breach
The consequences of a successful attack can be high indeed. The EU’s General Data Protection Regulation allows EU authorities to impose fines of up to 4% of a company’s annual global turnover or €20 million, whichever is higher. The severity of this regulation is matched by the scale of the problem. When a company loses a customer’s data in a cyber attack, that data is sold online to criminals who intend to use it for profit.
In one case examined by Deloitte, attackers took advantage of a retailer’s poor wireless network security to intercept credit card information and breach the company’s unencrypted customer database. In this case, the cybercriminals used various attack techniques until they found one that worked, then waited inside the network until they could intercept the data they needed to get into the company’s database. The affected company suffered a significant reputation loss and had to deal with sales losses, fines, and a settlement.
Despite this, according to CyberSmart, 32% of UK SMEs still don’t have any form of cybersecurity program at all (whether in-house or outsourced), and exactly half of SME managers said they did not have a formal cyber-incident response plan.
A constant game of cat and mouse: What should we do about it?
Stay up to date: Cybersecurity requires a serious reality check. If an organisation wants to access your information, they will. It’s a matter of when not if. The key is to be proactive. Don’t think it won’t happen to you.
If your eCommerce site is taken offline, you’re certain to take several hits: lost sales, brand damage, and the cost of restoring it. It’s worth the investment to regularly update your website, patching websites, plugins, and the CMS. It can be tempting to push back the updates due to the cost of upgrades, especially if no additional features or functionalities were added. However, it is absolutely critical that businesses do this as soon as system updates are released. For any vulnerability or exploit announced in a particular piece of software, it’s only a matter of time before it gets exploited by hackers. In the case of British Airways, the cyber attack on their systems wasn’t detected for 2 months, so any delays in identifying risks simply add to the potentially devastating impact of a data breach and the resulting regulatory rulings.
You can protect yourself by ensuring the software you are using is secure and supported by a vendor. If you use software that doesn’t let you reach out to the developer and ask for an update to an element that isn’t quite right, be it a security vulnerability or otherwise, you’re leaving the front door wide open for an attack now or in the future. In that regard, having backups is also essential so that the site can be quickly restored if something goes wrong, and these must be air-gapped/ inaccessible to malicious actors.
Get certified: Cyber Essentials, a set of technical and administrative controls that ensure your business can mitigate the vast majority of threats, is one example of a government-led scheme that can be helpful to safeguard your organisation and prevent the majority of threats from becoming real. The scheme assesses five key criteria to ensure you know how to begin protecting yourself. Research from Lancaster University found that simply being certified can help reduce a business’s cyber risk by up to 98.5%.
Don’t compromise on training: After all, insider threats such as administrative errors can pose just as much of a challenge. It’s not just about protecting your confidential information from malicious outsiders. For example, phishing emails – the most commonly used threat vector for successful attacks last year – have become more convincing. Perhaps an employee sets a weaker password or writes it down somewhere accessible. Here is where driving cybersecurity requires a cultural shift. It is imperative that every employee at your business receives security awareness training and is well informed of the types of threats that are out there. In addition, a dedicated Chief Information Security Officer should be appointed, whether it’s you as the company’s leader or a part-time position; that person must be properly trained and empowered to fulfil the role.
Ultimately, leave nothing to chance. Always expect an attack to happen, as cybercriminals are constantly looking for that open entryway. SMEs cannot afford to leave the door open. One negative experience can damage your customer relationships, reputation and overall business health. In this constant game of cat and mouse, we all need to be on our guard.