Most SMEs wrongly believe that they are immune to cyber attacks, but statistics show a different reality.
The 2014 Information Security Breaches Survey revealed that 60% of small businesses had a security breach, while the median number of breaches suffered by a small organisation was six.
Research suggests that there are a few major security threats SMEs should be particularly aware of:
Phishing and spear-phishing
Cyber criminals often exploit a lack of security staff awareness to gain access to sensitive information. According to the 2014 Information Security Breaches Survey, 22% of small businesses suffered staff-related security breaches.
Phishing is a popular method used by cyber criminals to trick users into revealing personal information by using an email that appears to be from a legitimate source, often in conjunction with a website that also seems to be authentic. Spear phishing is a targeted form of phishing. Verizon’s 2014 Data Breach Investigations Report revealed that 18% of users will visit a link in a phishing email that could compromise their data.
Password management represents a significant challenge for organisations. SailPoint’s Market Pulse Survey revealed that 56% of employees reuse passwords for the personal and corporate applications they access daily, and as many as 14% of employees use the same password across all applications. On average, employees use only three different passwords and 20% share them with their team members.
The fact that 45% of small businesses in the UK suffered from infection by viruses or other malware, according to the 2014 Information Security Breaches Survey, highlights the significance of security risks associated with network vulnerabilities.
A vulnerability is a weak spot in an organisation’s network that might be exploited by a security threat. For example, failing to carry out regular system updates is a vulnerability. A vulnerability being exploited can have a very negative impact on the organisation, including loss of data, hours or days of site downtime, and staff time needed to rebuild the system after it’s been compromised.
Web applications in particular are susceptible to many types of attack, including remote code execution, SQL injection, format string vulnerabilities, cross-site scripting (XSS) and username enumeration.
If an attack is successful, those with malicious intentions can get control over an organisation’s website and steal sensitive data, causing significant reputational damage and financial losses. In 2014, booking site hotelhippo.com suffered a data breach that eventually forced it to shut down. A session fixation vulnerability was found, in which ID fields used in the URL could be exploited to compromise customers’ details.
The 2014 Information Security Breaches Survey indicates that three-quarters of small organisations have adopted a bring your own device (BYOD) culture. Despite the threat from mobile malware, 21% of SMEs admitted that they haven’t taken any steps to mitigate the risks associated with staff using smartphones or tablets. Only 29% of small businesses encrypt the data held on mobile phones and only 35% train their staff on the threats associated with mobile devices.
Cyber Essentials and SMEs
Recognising that not all organisations have the necessary resources to address the business-critical issue of cyber security, the UK Government’s Cyber Essentials scheme provides a set of five controls that organisations can implement to achieve a baseline of cyber security, and against which they can achieve certification to prove their credentials.
The Cyber Essentials scheme addresses the most common threats affecting organisations and covers five key areas:
- Secure configuration
- Boundary firewalls and Internet gateways
- Access control and administrative privilege management
- Patch management
- Malware protection
IT Governance offers three unique solutions to certification that will enable SMEs and large companies to achieve certification to either Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.
Do you know whether you meet the requirements of the Cyber Essentials scheme?
Find out by completing our quick online checklist >>