When it comes to cyber-attacks, being small isn’t a cloak of invisibility.
You don’t have to employ hundreds of staff, work for a large roster of clients or turn over millions to attract the attention of data criminals.
In fact, SMEs are particularly appealing to hackers because of their size. They often lack the resources – technology, staff training, specialist knowledge – that promotes resilience. As a result, hackers pick them off as easy targets.
The government’s recent Cyber Security Breaches survey outlines this problem, revealing that 42% of micro or small businesses have been breached in the last 12 months. Despite this, only 26% have a formal cyber security policy and less than one in five (19%) train their staff to be cyber aware.
With the advent of GDPR, small businesses now have the same responsibility as large businesses to protect sensitive data. Key to this is understanding how the dark web works because most stolen data ends up on this enormous, covert stratum of the web. Here are some pointers on what you need to know:
- Small is still beautiful to dark web criminals: The size of your enterprise doesn’t make your data any less valuable to criminals. Sensitive information such as customers’ bank details or staff log-ins are desirable to criminals whether you are a SME or a PLC. It’s important for smaller companies to understand what data needs to be protected and how to protect it. The government’s National Cyber Security Centre website is a good place to start. Look out for its weekly threat reports, informative blogs and guidance, in particular the “10 Steps to Cyber Security”.
- Hackers are often indiscriminate: Some dark web criminals steal to order for organised criminal networks, others are less sophisticated. Known in the trade as ‘script kiddies’ they use tools created by others to scan the most vulnerable websites or servers. They are likely to go for easy targets and sell their haul as a job lot on the dark web.
It’s worth remembering that WannaCry, one of the most damaging hacking events in 2017, was random and untargeted. Organisations of all sizes were vulnerable because they failed to install security patches. But many smaller organisations were particularly susceptible because they had older, unpatched systems.
- 92% of businesses have stolen cloud data on the dark web: It took Marriot Hotels four years to realise that hackers had set up camp in their computer systems (long enough to figure out how to decrypt their most valuable data) and it’s no surprise that most SMEs have no idea that their stolen data is for sale on the dark web. Knowing what’s out there is the first step towards understanding your vulnerabilities and putting measures in place to identify and protect your information.
- Reputation ruin is a criminal service: On the dark web, people order stolen data about a particular company or individual and then threaten to damage their reputation by exposing this information. This activity can be commissioned by rival companies, political activists or aggrieved former employees. The beauty of the dark web is that criminals can’t be seen or traced and can trade information using secure cryptocurrencies.
For large firms, politicians or celebrities, this type of exposure can be highly damaging, but for SMEs with fewer resources, it can completely wipe out their business.
- Searches leave a trail: Anyone browsing the dark web leaves a footprint with negative implications for the business – so resist conducting your own investigations. There’s also the risk of exposure to malware and sinister content. Dark web investigators use bots and crawlers to rapidly and safely scan the dark web and can let you know if your information is there in real time, giving you the chance to immediately respond.
- Data can be disrupted or removed: Stolen data for sale on the dark web can often be disrupted, its distribution delayed and sometimes it can even be removed so don’t lose hope if your data is found on the dark web. It’s better to know exactly what’s been leaked and then put appropriate measures in place to control any damage and limit fines from the Information Commissioner’s Office (ICO).
The NCSC’s 2018 Cyber Security Breaches survey shows that 17% of those SMEs hacked last year took one day or more to recover. Over one quarter said a breach had stopped their staff carrying out day-to-day work and that the average financial loss for small businesses was £894. These figures show the true cost of a breach and serve as a reminder that being small isn’t the same as being safe.