The most common cyber security threats to SMEs

Systems
Written By Laura Gowthorpe

The importance of cyber security grows year on year as the technology we use in our businesses becomes increasingly embedded in every action our employees take to carry out their day to day roles.

A cyber attack refers to the deliberate attempt by an individual or organisation to breach the information system of another individual or business with malicious intent.  

There are a number of different types of cyber attacks and security breaches, but some are more common than others. 

Fact3 have highlighted some of the most prevalent attacks SMEs should consider high priority for protection.

 

Ransomware 

Ransomware is a type of malware designed to either publish a victim’s data or deny access to it until a ransom is paid.  In the first 6 months of 2018 there were over 181 million recorded ransomware attacks globally ("Ransomware back in big way, 181.5 million attacks since January" Help Net Security. 11 July 2018. Retrieved 20 October 2018). Some types of malware may encrypt data in such a way that an expert is able to reverse.  More advanced malware can encrypt data with deeper complexity making them totally inaccessible, often forcing the victim to pay the ransom demanded to regain access. 

One of the problems with identifying and prosecuting individuals or organisations who carry out ransomware attacks is the ransoms are often demanded in digital currencies such as bitcoin or crypto currency.  These are difficult to track, and likelihood of seeing that money again once paid is very slim.

If faced with a ransomware attack, businesses are urged not to pay the ransom demand.  Payment fuels the attackers to continue and there’s no guarantee they’ll release the data anyway.  To protect against this problem in the first place it’s imperative you have implemented adequate back-up processes and a robust disaster recovery protocol in place. 

App Frauds

Smartphone applications are are a high risk area for attacks.  With employees increasingly being issued with company smartphones, maintaining control over the applications they’re using on their business phone becomes a high priority for management as it poses a huge risk to the wider organisation.

Presently 96% of smartphones don’t have pre-installed security software (Wright, Jorja & Dawson, Maurice & Omar, Marwan. (2012). Cyber Security and Mobile Threats: The Need For Antivirus Applications For Smart Phones. Journal of Information Systems Technology and Planning. 5. 40-60).  Traditional security software found on PCs such as firewalls, encryption and antivirus isn’t currently standard on smartphones. 

The threat of the security breach faced by corporations where employees are using smartphones without restriction can result in corporate data being found on the device and passwords residing in places like the iPhone Keychain, which could allow attackers access to corporate services like email and the business’ virtual private network (VPN).

Phishing Attacks 

Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email. The goal is to steal sensitive data like credit card and login information, or to install malware on the victim’s machine (Cisco Security, Email Security https://www.cisco.com/c/en/us/products/security/email-security/what-is-phishing.html).

Phishing attacks are particularly challenging because small businesses are often targeted.  Employees with limited knowledge of phishing as a concept are an easy route in for attackers.  

There are a number of preventative measures SMEs can take to protect against phishing attacks.  Actionable employee training that’s regularly carried out, two factor authentication, enabling spam filters to recognise phishing emails before they enter an employees inbox and implementation of browser extensions that can be enabled to prevent employees clicking on malicious links. 

Man in the Middle Attacks 

A man in the middle attack (MiM) is where an attacker intercepts and alters the communication between two parties who believe they are communicating with each other. An example might be an employee receives an email supposedly from their bank, asking to confirm contact details.  A link to what looks like the bank may be present, the user would then input their details and these would be intercepted by the attacker. 

There are basic measures you can take to help protect against MiMs.  Virtual private networks (VPNs) can be used to prevent MiMs by using a key based encryption which ensures that even if an attacker gains access to a VPN they won’t be able to decipher the communication as well as other key encryption.  Malware protection will also go some way to protecting your business, as well as other encryption strategies including device, SSL and WiFi. 

Employee Awareness 

The biggest gap in an SMEs cyber security strategy is their employees.  More often than not it’s a lack of awareness and understanding on the part of employees that can put a business at risk.  If employees don’t know how to recognise a security threat, they can’t be expected to avoid it, report it or remove it. Regular, focused and action based employee training is absolutely critical to protect your organisation, alongside watertight policies spanning social media, password security, email and internet usage.  


It’s clear there are a wide variety of fairly simple strategies SMEs can put in place to protect against cyber attacks.  That being said, it’s highly advisable to seek professional advice, not only for prevention, but after the fact measures such as insurance and disaster recovery protocols should the worst happen. 

Laura Gowthorpe
Previous

The ONLY list of essential cyber security resources UK SMEs need: from Fact3
Next

The BEST case studies to help you put the balanced scorecard into practice