Small firms face a greater cyber-security risk than their larger competitors

We often read headlines in newspapers declaring that UK businesses are suffering as many as 1,000 cyber-attacks an hour, but which businesses are most at risk from hackers? The majority of us would probably suspect that it is the largest organisations; after all they are more likely to have the most-valuable information that will prove to be attractive to hackers.

However, hackers are increasingly turning their attention to small businesses, that is those employing a few hundred people or less according to Alan Woodward, professor of Computing Science at the University of Surrey. Speaking to the BBC, he explained that these smaller businesses are at risk because they are not taking the necessary security precautions: they feel that any information they may hold will have little hard cash value to criminal gangs, so they fail to take steps to insulate themselves from attack. However, this is misguided according to Professor Woodward. Even the smallest business can be the custodian to information that will prove to be a sellable commodity to criminals: customer names and addresses, credit card details and designs vital to an innovative start-up will all have considerable value on the criminal market.

According to the professor there is mounting evidence that small businesses could in fact turn out to be the UK’s Achilles heel in terms of cyber-security. These small businesses may not fully realise their value, but they are in fact the foundation upon which the economy rests: if they are destabilised by hackers, then there’s every likelihood that everything else will come crashing down too.

So just how serious is the threat to small businesses? Well over the course of the last year a number of surveys have been published suggesting that over 60 percent of small businesses have suffered some form of malware attack. It’s understandable in many ways as these smaller enterprises, unlike larger corporations, can’t afford to employ skilled IT professionals to safeguard their servers. Yet it is possible to protect servers from cyber intrusion even by employing the most basic of security precautions, so in Professor Woodward’s eyes this clearly demonstrates how poorly prepared most small businesses are.

In fairness most small businesses are run by entrepreneurs: they aren’t and have never claimed to be security experts. Even those that do recognise the threat of cyber-intrusion often view the threat as a remote possibility, so it ranks low on their list of priorities. Sadly the surveys tend to suggest that 20 percent of SMBs only become concerned about cyber-security issues after they have experienced an intrusion. More worryingly, one report indicates that 10 percent of small businesses would have absolutely no way of knowing whether they had experienced a successful attack or not.

So are hackers simply targeting small businesses for the information they may hold, or are trawling for bigger fish? Well the professor believes that criminals recognise that smaller businesses can often be a way of reaching onward to the larger firms: hackers can get a foot in the door of larger corporations by targeting small businesses in the supply chain. Obviously it makes sense for the hackers to target the weakest link in that chain. If you consider that the supply chains of some of the largest, hyper-connected international corporations can run into tens of thousands of smaller companies, then there are countless weak links for the hackers to target.

As smaller businesses feed the larger businesses, those larger businesses are becoming acutely aware that potentially valuable assets and intellectual property could be at risk somewhere further down their supply chain. So small businesses wishing to join a large supply chains have to be able to demonstrate that they can protect the intellectual property entrusted to them, and that means they cannot put off the issue of cyber-security any longer. This has now become a major issue for small businesses. Many larger corporations who disseminate valuable intellectual property to large distributed supply chains, track and audit who has access to what data. If they discover that a leak has come from one of the smaller businesses lower down the chain, then their services will no longer be required. Small businesses therefore need expert advice from intrusion protection professionals to ensure that they are able to protect their own and their client’s valuable data.

If your business needs help with security reviews, penetration testing or web security solutions, please contact Krypsys on 01273 044 072 or [email protected].