SMEs ignore cyber security at their peril
It's not only large enterprises that are vulnerable to cyber crime. Cyber criminals are also eyeing small to medium-sized enterprises (SMEs). Smaller businesses are arguably more vulnerable, as too often, they don't have the awareness or resources required to mitigate today's complex threats.
A recent cyber security survey by specialist underwriters SHA reveals that 45% of SMEs don't think they are exposed to cyber attacks, and half of them have no cyber crisis plan in place.
Simon Colman, executive head: Digital Distribution at SHA, says, unfortunately, 30% of businesses have already fallen victim to a cyber attack in the last two years, and two-thirds of those affected have been threatened with litigation by clients and other stakeholders following the attack.
Pay, or lose data
So how should smaller entities protect themselves? According to Colman, when a business experiences a ransomware attack, for example, there are two avenues available to them. They can either pay the ransom and hope for the encryption code, or erase all of the company's data and reinstall from the most recent backups.
Larger organisations conduct frequent backups, so ransoms are rarely paid, he says. However, too often, smaller businesses perform backups less frequently, or on a more erratic basis.
"Business owners should think carefully before they decide to pay a ransom to cyber criminals. Firstly, it goes without saying that when dealing with criminals, there are no guarantees that paying the ransom will result in any data being released. Research by SHA has also shown that 20% of businesses that have paid the ransoms demanded by cyber criminals were targeted by ransomware attacks for a second time."
Colman believes that one of the most cost-effective ways of mitigating the risk of an attack is through effective awareness training. "A significant number of malware infections occur because employees have clicked on a link or enabled a macro in an attachment in an email. A company could spend millions on cyber security, but the human element remains the most vulnerable link in the security chain."
He stresses that businesses should never ignore the need for adequate security protection and should ensure that proper firewalls and updated antivirus or anti-spam tools are in place. "However, many SMEs rely on outdated or free packages that don't provide adequate protection."
It is also important to have cyber insurance cover in place, adds Colman. While policies like these do not generally cover the costs of damage to physical company assets, they protect the business against legal costs in the event of litigation, loss of profits, costs related to restoring or replacing data, and possible fines and penalties that could cripple a company.
"Many insurers will even cover the ransom costs, provided that certain security measures and backups were in place."
Having a policy in place
Colman says all businesses should appoint someone in their organisation who is responsible for looking after cyber security, even if it is an external consultant.
A cyber insurance policy should be a combination of great cyber risk mitigation services and comprehensive insurance cover, he says. This should include ongoing, non-intrusive vulnerability scans on the company's IP addresses as well as `boots on the ground'.
This gives businesses the ability to identify problems and to act on them, before they fall victim to an attack. "Insurance is really a last resort, for when other risk mitigation measures have been unsuccessful."