It’s every business owner’s nightmare.
The sense of irritation and impatience hits you first as the file you are trying to access on your IT system fails to open. Then annoyance turns to panic as, one by one, you realise all your key files – many containing your customers’ personal data – are locked. Finally, a hacker’s ransom note for several thousand pounds arrives by email and panic turns to despair as you realise you’ve become the UK’s latest victim of cybercrime.
But this is not some fantastical nightmare. In fact, it’s a reality for small businesses up and down the land. A survey by cyber-security lawyers Moore Blatch recently found that 76% of SMEs were concerned about cyber security. The Government Security Breaches Survey found that 74% of small organisations reported a security breach in 2015.
So why are small businesses so susceptible to hacking?
The simple answer is that they are easy targets because they are unprepared and most don’t view cyber security as business priority. In most cases, there has been very little investment in defences, which can be expensive, difficult to implement and – frankly – built for large companies, where there is a good pool of I.T. expertise.
On top of this, little care is taken to educate staff about their own security, meaning employees are often a ‘gateway’ into a company because they click on phishing links, or have easily-cracked passwords.
We are all at risk
Email can be a big problem. SMEs regularly ask their clients for sensitive information – such as copies of utility bills, bank statements or National Insurance numbers – without adequate two-way email encryption in place. Internal emails are also often the vehicle for an attack. For example, it is not uncommon for a hacker to issue a fake email from a target company’s CEO, which asks staff members to pay invoices or to transfer money.
I repeat: we are all at risk. Cyber criminals feed on information and data – the more they know about you the easier it is to trick you. They are patient and will find optimum moments to pounce using increasingly clever tactics. The increasingly digital world, where sharing and clicking is second nature to nearly all of us is making this type of crime easier. And it’s SMEs who are increasingly in the cross hairs because they are such soft targets and can therefore give hackers a good hit rate. And, unlike large companies, it is often less hassle for them to pay the ransom and move on than to stand and fight.
But is there light at the end of the tunnel.
The EU’s Global Data Protection Requirement (GDPR), due to go into effect in May 2018, requires companies, and their management, to be directly responsible and accountable for the management and control personal and sensitive data. It’s not a cure but it’s a positive step forward.
Under these rules, regulators are going to want to see an evidence chain of decision-making from the top down. The time of inescapable personal responsibility on the part of boards and managers is coming – also A Good Thing. What is in no doubt at all is that cybercrime is something every business should be aware of and seeking information on.
Because if you don’t want to wake up in the nightmare of a cyber attack, now is the time to act.