What do the terms ‘malware’ and ‘ransomware’ mean to you? Probably not very much given that they sound more like plot lines from an Ian Flemming novel rather than very real threats to the stability and viability of our businesses.
However, they are likely to become as familiar to small business owners as ‘profit’ and ‘invoice’ are to us now.
Why? Well according to recent government figures, some 53 per cent of SMEs were the targets of cyber crime in 2023. And ransomware (which is a type of malware) is the preferred method of attack used by cyber criminals. These figures are likely to be an underestimate as many SMEs prefer to ‘pay-up’ and say nothing rather than draw unwelcome attention to themselves.
Ransomware is a particularly vicious kind of cyber-attack where a piece of malicious software infiltrates a company’s IT network and renders it inaccessible until a ransom demand is paid.
So why should SMEs in particular be concerned about cyber-attacks? Many SMEs believe that they are too small or too niche to be attractive to ransomware criminals. That attitude is exactly why SMEs can find themselves in the crosshairs.
Steve McCormack, Head of Privacy Care at cyber security specialists Incognito highlights the cyber perils that lie in wait for SMEs as they are easy picking for cyber criminals as they frequently have the weakest anti-virus software installed. Off-the-shelf antivirus protection packages are no match against sophisticated cyber criminals who will simply brush aside virus protection software. It’s like throwing a cup of water on a house-fire. Also, cyber criminals could well be targeting larger companies along your supply chain.
Small businesses find themselves victims of ransomware, not because they have been individually targeted by a criminal, but because of simple human error.
Believing that they are unlikely to fall victims to a cyber-attack, the majority of SMEs fail to adequately inform and educate staff about cybercrime and what to look out for, particularly with regard to ‘phishing’ assaults. This is where a perfectly normal looking email – perhaps from a supplier or government agency – is opened and instead of being legitimate, it is laced with ransomware and once unleashed onto an SMEs computer network it wreaks havoc.
Without comprehensive protection, and staff training too many SMEs will panic and simply give-in to a ransomware demand, hoping that cyber criminals will be honest enough to release the crucial data they have ring-fenced and encrypted – like bank account details or customer account information.
Why would a cyber criminal kill the goose that has just started to lay golden eggs?
One small business we know fell victim to a devastating ransomware assault. A member of staff at a dental practice in the Midlands received what looked like an invoice from a supplier. It wasn’t. Once opened, ransomware was released and the practice was unable to access patient records, appointment details and billing information. Then the demands for payment appeared. If they refused to pay, the data could be destroyed, or sold to the highest bidder on the dark web.
Another SME client of ours (well, they are now) watched helpless as, at exactly 08.00am, some 3000 emails left their servers and went to clients and suppliers. There was nothing they could do. A colleague had worked on a home computer at the weekend and saved the work onto a memory stick. Once plugged into the company’s network on Monday morning, the network was flooded with ransomware.
A client was attending a trade exhibition and was on an exhibitor’s chat room. Up popped an advertisement for exhibition furniture. It looked interesting, so they clicked on it to find out more. It was riddled with ransomware, and we were called in to clean up the mess and create the strongest malware identification, isolation and removal package.
These attacks on SMEs inevitably lead to huge disruption, significant cost, loss of business focus, loss of revenue, reputational damage and ultimately bankruptcy. Not to mention the legal consequences and non-compliance issues.
The recent trends toward working remotely, often from home, or storing data in the cloud, accepting on-line payments and conducting business online, all conspire to create a cyber criminal’s playground.
There are several actions that SMEs can take to minimise their exposure to criminality including:
- Training employees to identify phishing attempts
- Backing up data and keeping it offline
- Keeping security patches up to date
- Having robust anti-spam processes
- Introducing multi-factor authentication
- Configuring your firewall to repel invaders…and so on.
If all that sounds a bit overwhelming, then outsource all of it to a cyber security specialist company which has a commercial interest in keeping your business safe.
All the indicators are that 2024 will be the year that SMEs are confronted by wave after wave of catastrophic cyber-attacks. All the signs are there and in the realm of cyber criminality, prevention is far better than cure.