As the threat of cyber fraud grows, cyber-security is consistently high up on the priority list of IT leaders across all types of organisations in the UK. The UK Government carried out a survey looking at cyber security breaches in 2018. The research showed that three-quarters of businesses (74%) and over half of all charities (53%) say that cyber-security is a high priority for their organisation’s senior management.
The news is full of high-profile security incidents at large, multinational organisations. This can give a false impression that it is only enterprise organisations that are at risk. However, this is simply not the case. Small and medium sized businesses face great risk when it comes to cyber security. Sadly, all too often SMEs are not well prepared for this risk.
According to research from insurance company Hiscox (Oct 2018), UK small businesses were targeted with 65,000 attempted cyber-attacks per day. The study goes on to report that while most attempts fail, a small business in the UK is successfully hacked every 19 seconds. These are staggering numbers and show that the threat of cyber-attack is real and cannot be ignored.
The report goes on to show that breaches as a result of cyber fraud cost the average small business £25,700. When questioned, only 52% of UK small businesses stated that they have a clear cyber strategy in place and over half of those who suffered a breach are the victim of multiple attacks.
A separate report from specialist insurance broker PolicyBee found that 74% of small businesses haven’t put any money aside to deal with an attack.
Looking again at the UK Government report into cyber security, we can see some fascinating findings about the threat level faced by small businesses. 42% of small businesses identified cyber-security attacks in the last 12 months and just 12% of small businesses have a formal cyber-security incident management process in place.
These figures show just how exposed many small businesses are to the growing threat of cyber-attack. Without the correct policies and procedures in place, small businesses can be left at risk of cyber fraud and the associated effects which can be devastating to a small business including in worst case scenarios, business closure.
What cyber threats do UK SMEs face?
Phishing and spear phishing
- A phishing email is one of the most common and effective tactics used by criminals to introduce malware into businesses.
- Spear phishing is more targeted. In this instance, emails are styled so that they appear to be from a trusted source such as a senior manager, a customer or valued partner organisation. Sophisticated criminal gangs will do their research, even scouring social media accounts to find out information about their target to ensure that their emails seem authentic.
- In both phishing and spear phishing attacks, the victim is encouraged to click on a malicious link or open a malicious attachment. As soon as that happens malware is released into the business.
- Ransomware attacks, which are introduced by phishing emails are on the rise. In this case, ransomware locks down the organisations’ computers. Until a ransom is paid, businesses will not be able to access critical files.
Lack of cyber security knowledge
- Even if an organisation has robust cyber-security policies and procedures in place they are rendered almost worthless if employees lack security awareness.
- This is often something which organisations don’t really want to address but it is certainly a threat which should not be ignored. It is important that organisations include employees who have authorised access to the company network from behind the firewall in their risk assessment.
- A Distributed Denial of Service attack is a malicious attempt to knock websites and machines offline. These types of attacks can be devastating to those small businesses who rely on a website or online services to function.
- The term Malware covers several different types of software which are maliciously installed on a pc or computing system. This can cover ransomware, spyware, bots and Trojans.
- This type of attack is where criminals steal or tamper with the database which is sitting behind a web application. This can be particularly problematic for organisations who deal with any type of sensitive data.
- Bring Your Own Device is on the rise with many employees using personal smart phones or other devices to access email and other company software. Corporate networks can be left vulnerable to unsecured devices carrying malicious software or applications.
Phishing emails on the rise
Phishing and spear phishing attacks are on the rise. According to a report from Proofpoint, The State of the Phish 2019, 83% of global infosecurity respondents experienced phishing attacks in 2018 which is up from 76% in the previous year.
Small businesses are particularly vulnerable because they often do not have the necessary processes and procedures in place to mitigate the risk.
Don’t get caught out! How to avoid falling victim to email scams
1. Educate staff
Security awareness throughout the organisation is vital to ensure that every employee is empowered to understand the potential threats and how they can be part of the solution. Employees can and should be part of your overall cyber-security policy. They are an especially important part of the cyber-security plan when it comes to combating the threat of scam emails.
When it comes to spotting a spam email there are a few key things to encourage staff to look out for:
- Pay attention to the sender’s email address. Hackers are clever and can make it really difficult to spot a fake email address. Things to look out for are: slight misspelling of the email address or random letters or numbers used in the email address.
- Look before you click. You can hover your mouse over a link in your email to see the full link address. If it looks suspicious in any way, then don’t click.
- Check for spelling errors in the content of the email. Sloppy spelling or odd wording can be a real giveaway that the email is not from a trusted source.
- Check images. Hackers often use a brand logo to make the email look like it is genuine. Look closely at these types of images. Do they look crisp and clear? Do they look exactly like the brand’s actual logo? If not, this is likely to be a sign of a spam email. The hackers have probably just copied the logo from a website and so the image is low resolution or perhaps they have even recreated it. Images can be a real giveaway.
- What salutation does the email use? Have they used the correct name? If not, then be wary. However, if they do use the correct name this doesn’t prove an email is safe. With spear phishing, the perpetrators are highly likely to have checked what name to use.
- If there is highly urgent or even threatening language used, then this should always raise suspicion. Hackers will often use language such as “your account has been suspended, urgent action required”. This sense of urgency can make people panic and forget to do all the relevant checks.
- Spear phishing emails can be particularly hard to spot because of the care and research which hackers put in before sending them. A tactic often used is to say that a senior manager in the organisation has requested urgent payment and to name that individual. Any unexpected requests for money to be paid should always be questioned.
- Check the signature. A legitimate company will always have contact details at the end of an email. If anything looks suspicious then check that the contact details are correct. The red flag should be raised if no contact details are provided.
- If in doubt – don’t open it! This is so important. Make sure that staff know that it’s OK to be unsure and that if they are then they should check before they click.
In a recent blog post we share real-world examples of how employees have been caught out by scam emails and how this could have been avoided.
2. Promote security awareness from the top down
As with most company initiatives it is really important that security awareness is promoted from the top of the company and throughout the management team. Employees can either be the weakest link in your security policies or a critical line of defence. It is up to management to make sure that security is embedded into the culture of the organisation and isn’t seen as “IT’s problem”.
Here are a few top tips on how to encourage a security culture:
- Awareness training is a key part of ensuring that employees can become assets in your security policy.
- Accept that mistakes will happen. Human error is inevitable and what you’re trying to achieve here is to make the human risk as small as possible. Afterall, no defence is foolproof.
- Never punish errors. You want to make sure that employees feel empowered to highlight incidents. If the worst happens and an employee does click on a malicious link you want to make sure that they feel they can report it immediately.
- Take your employees along with you. This shouldn’t feel like a them and us situation between IT or Management and the rest of the company. Effective security policy includes everyone, and it is vital to make all staff members feel that they have a stake in it. Afterall, if the company is badly hit this can affect the bottom-line which can ultimately affect employees in terms of job security, pay and bonuses. Another approach is to help employees understand that their own personal data could be at risk if hackers are able to attack HR records for example.
- Training should be ongoing and if possible, you should be measuring the effectiveness.
Is security awareness enough? There is a growing trend to go beyond security awareness and embed a true security culture within organisations.
Aimee Laycock, CTO of Norway-based security culture experts CLTRe explains “In as much as 95% of all incidents, the cause of breach is blamed on humans. Security culture is particularly relevant given that people are both a cause of information security incidents as well as a key part of the protection against them. In our research, we have developed and investigated seven key dimensions of security culture: organizational norms, individual responsibility, employee attitudes, quality of communication, compliance to security policies, employee behaviours, and the cognitive aspects of security. Combining these dimensions creates an accurate model of an organization’s security culture. Therefore, information about the dimensions is vital when it comes to improving security culture, and thus reducing risk in the organization.”
Aimee goes on to say “The actions and behaviours of employees towards organisational information security are influenced by the security culture of the organisation. This is why building a positive security culture is an important and effective strategy to improve risk management.”
3. Technological solutions
There are a range of solutions available to organisations to help them manage the threat of phishing and scam email.
- Use a good spam filter. Make sure your spam filter is able to pick up spam emails at the server, before they arrive in anyone’s inbox. Emails should be detected and deleted at the server level. Your spam filter should look at the message body, message header and message source. You should be able to easily manage your “black list” and “white list”.
- Use a firewall. If your organisation is made up of more than four or five users then you should ideally be using a hardware solution. Look out for solutions with easy to use interfaces, reporting and alert-systems. Make sure your firewall solution is scalable and able to grow with your business.
- Install anti-malware software. It is really important to have effective anti-malware software installed. Ease of use is going to be key. Check what types of security is included and what devices will be protected.
- Consider what security procedures are in place for employees who work from home.
- Add an extra layer of security by using two-factor authentication
4. Document cyber-security policies
As discussed earlier, the UK Government’s recent survey into cyber-security highlighted that only 12% of small businesses have a formal cyber security incident management process in place. It really is so important that SMEs formally document their cyber-security policies. Afterall, how can this be effectively communicated to staff if it isn’t properly documented. The National Cyber Security Centre has some fantastic resources to help small businesses effectively plan their cyber-security policies.
It can be a huge benefit to small businesses to work with an IT partner who can provide the support and guidance to help protect their business from the threat of phishing and scam emails.
To learn more about how you can educate your team and protect your business, contact us to find out more.