How can we get very small firms to take cybercrime seriously? Recent research by Kaspersky Lab], shows that 82 per cent of companies with up to ten employees believe they are not a target for cyber-attacks because they are too small or don’t have anything worth stealing.
Yet according to the Federation of Small Business, small firms are in fact a prime target for cyber-attacks. A significant 41 per cent of its members were hit by cybercrime in 2013 and a third were the victim of online fraud. If you imagine an average high street, that’s the equivalent of every second or third shop being attacked.
This complacency certainly isn’t down to the fact that these companies don’t use connected IT devices. The UK’s smallest enterprises are increasingly reliant on the latest mobile devices and computing equipment. Two-thirds (68 per cent) have internet-connected laptops, half support mobile and remote working, and a quarter (26 per cent) allow employees to use their personal smartphones for work.
Between them, these devices hold confidential communications, customer, supplier and financial records, client work, designs, artworks and blueprints, appointment calendars and IP. All data that need to be protected!
Yet, there is a remarkable degree of naivety around IT security. Just one in four (28 per cent) of the small business owners surveyed turn to an external IT professional for advice, while over a third (36 per cent) try to sort any problems out themselves, rising to 42 per cent in the case of men. One in five turns to a friend, including 25 per cent of women; and around one in 10 relies on a partner or parent.
These are invariably the people you would turn to as a consumer, when your personal device develops a glitch or you’ve clicked on a link or opened an attachment you shouldn’t have. But retaining such a consumer mind-set when running a business can prove fatal.
Language may be an issue here: a family-run hairdressing salon or garage, for example, may not regard their appointments calendar and customer address list as ‘business-critical data’, or their consumer-grade wireless router and back-office PC as ‘mission-critical infrastructure’. This could mean that they ignore IT security messages that include such phrases, or they may simply not have kept pace with the rapid growth of their business.
They certainly appreciate how vulnerable they would be if there was an attack. A third (31 per cent) admit they wouldn’t know what to do if they had an IT security breach tomorrow, four in ten would struggle to recover all the data lost and a quarter admit they would be unable to recover any data at all. One in ten of those surveyed accept that it would probably cost them their business. The problem is, they just don’t think it will ever happen to them.
It’s easy to read the headlines in the media and draw the conclusion that cyber attacks are a problem only for large organisations, particularly those who maintain ‘critical infrastructure’ systems within a country. However, even the smallest businesses can be directly targeted for the sensitive or valuable information they hold – from customer banking details, to supplier information or even data that can be used to help stage an attack on a larger enterprise.
Firms run by women seem to be particularly unaware, with just 12 per cent believing their business is a potential target for cyber-threat; compared with 24 per cent of men. Whatever the cause or causes of this, the IT security industry clearly needs to engage better with the growing number of successful and entrepreneurial female business o
wners out there.
No-one needs to become an IT security expert. Most of the time, cyber security is the IT equivalent of remembering to lock all the doors and windows when you go out, making sure you have some additional protection for the things that matter and not leaving valuables where others can easily see and get to them. Installing the right software and applying some common sense guidelines around access and passwords, for example, will take you a long way.
There are around one million micro firms and nearly four million sole traders in the UK. That’s a lot of businesses at risk! It’s all too easy for small businesses to dismiss the potential threats of cyber crime and mistakenly believe that the risks only apply to nation-states and large multinationals.
However, this false sense of security can result in organisations taking an overly relaxed attitude to protecting their systems and data. These businesses urgently need the support of the IT security industry to better identify where the risks lie, how those risks might be changing and what they can do about it, before it’s too late.
David Emm is principal security researcher at Kaspersky Lab