Many SMB’s I talk to think that as they are only a small business they are not at risk of cyber-attack. This is a myth I wanted to dispel today, since the government’s recent Cyber Security Breaches Survey 2018 revealed that 42% of micro/small businesses (1-49 staff) had identified cyber security breaches or attacks in the last 12 months.
This is because the majority of cyber attacks are indiscriminate, since they are what are known as “commodity attacks”.
Commodity attacks are cyber-attacks where cyber criminals use widely available tools that exploit known vulnerabilities in software or operating systems in order to hack into your system or compromise it.
These types of attacks are easy to deploy and don’t need much technical knowledge. Indeed, some of the most destructive types of cyber-attacks, such as ransomware, are now widely available for would-be cyber criminals to purchase as an off-the-shelf package and deploy as they wish. This type of ransomware-as-a-service means that cyber criminals need minimal technical knowledge and have the opportunity to make plenty of quick and easy money.
So it is little wonder that this type of threat is becoming more and more prevalent. In fact a recent survey by Kaspersky showed that the number of ransomware attacks on businesses tripled last year, with a company now being hit with ransomware every 40 seconds. The same survey showed that 71% of companies targeted by ransomware attacks have been infected.
We now also have the situation where the more sophisticated hackers are making a point of reverse engineering security fixes that vendors like Microsoft bring out to patch newly discovered security loopholes. This means that unless you have applied the security fixes to every device on your network very promptly, there is a real danger that you will be compromised.
As the motivation behind these sort of attacks is generally about making money, whether that be through demanding ransoms to give you back your data or through stealing confidential information to sell it on, the cyber-criminal is generally not picky who they target and as such commodity attacks tend to be widespread, and not just confined to large companies.
I was concerned, although perhaps not surprised, to read in the government’s recent Cyber Security Breaches Survey 2018 that despite this, only 26% of micro/small businesses have implemented formal cyber security policies, while only 12% have an incident management process in place.
One of the commonest methods I see cyber-criminals using to breach a firm’s defences, is actually through its staff. Many cyber-attacks are initiated through phishing, where cyber criminals gain access to your firm’s network by getting an unwary member of staff to click on a link or attachment in an email.
Indeed, I know that when cyber security training takes place it is not unusual for every company to fail the phishing simulator with at least one from their organisation person clicking through on a fraudulent email and therefore allowing that particular piece of malware to gain access to their company network. (In fact, in one phishing simulator training exercise recently 87% of employees clicked on the fraudulent link, having decided it was genuine!)
Yet worryingly, according to the government survey, only 19% of small businesses have carried out any cyber security training.
There still seems to be a misapprehension that cyber security is a technical issue, which can be addressed purely through technology solutions. This is not the case, as nowadays the only way to effectively manage the threat from cyber-attacks is by deploying an integrated suite of measures. And whilst, yes, technology plays a part in that suite, just as important are staff training, business processes, incident response plans, disaster recovery plans and data backup strategies.
If your firm is in the 70%-80% of SMB’s who have yet to implement formal cyber security policies or staff training, then you are leaving yourself exposed to undue risk – and, estimating based on the recent figures, it is likely almost half of such firms will be attacked in the next 12 months. The disruption, compliance impact, reputational damage and financial impact of such an attack can be substantial, and I would always advise firms to take a proactive approach to prevent such an occurrence.
If you would like to know more about Epoq IT’s comprehensive IT security solutions, which incorporate policies, processes, technologies and staff training, and meet all the criteria needed for accreditation to the government’s Cyber Essentials scheme, as recommended by the SRA, then please do not hesitate to contact me on 01494 444065 or by email at firstname.lastname@example.org
This blog forms part of our series of informational resources for senior partners, practice managers and compliance officers at law firms. To read more articles please visit my blog, IT in Law Firms.
Epoq IT work with small and medium size law firms, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information please visit our website http://epoq-it.co.uk/law-firms-solicitors-and-legal-services-businesses/