Online security: Why MI5 and GCHQ need to listen to small businesses too.
By Sabelline Chicot
on 19 Nov, 2013
Back in July, the UK’s intelligence agencies MI5 and GCHQ urged the country’s FTSE 350 companies to take part in a cyber-governance health check.
The aim of the campaign? Incentivise large companies to ramp up their online security, following the announcement that 93% of large organisations reported breaches in the past year, and that companies critical to the country’s national security, such as those in the aerospace and defence sectors, were particularly incautious.
As the results are due to be published in the next few weeks, one can’t help but wonder whether addressing only the larger corporations will be enough to tackle the problem.
SMEs: ripe targets for hackers
In the UK, SMEs account for over 99% of all private sector businesses, and 87% of them reporting a cyber-breach is a therefore a very concerning number. According to security experts, hackers target 30,000 SME websites per day to spread malware and, as smaller organisations often don’t have the right resources and processes in place to protect their business from cyber threats, the consequences are often devastating.
Not only are the operations, reputation and finances of the compromised company likely to be affected, but a breach in their security could also offer hackers a pathway to target larger organisations which hold information critical to national security.
Beware the crouching tiger, hidden hacker
For those who haven’t heard this latest buzzword yet, “water-holing” is a hacking strategy consisting of infesting websites with lower security levels in order to reach the larger corporations that frequently visit them.
Because it relies on observing the online behaviour of users from the target organisation and leveraging the trust they put in their suppliers’ websites or web resources they often use, it’s an extremely efficient strategy, even among organisations that have high standards of protection against phishing and hacking. Although the technique itself isn't new, the levels of sophistication of these attacks and their frequency have reached a new high.
Military and government agencies targeted around the world
An in-depth study of major watering hole attacks over the past few years indicates that the defence sector is particularly targeted, with subsidiaries and business partners in the supply chain used as stepping stones to top-tier defence contractors.
The study also found that many of the attacks were undertaken by organised cyber gangs - “hackers for hire” - tasked with obtaining very specific intelligence. This is of course, in essence, espionage at either corporate or national level.
Although the primary targets may appear to be mainly based in the U.S., ramping up the online security of smaller domestic business organisations should be just as essential for MI5 and GCHQ as focusing on the top guns.
In the meantime, what can SMEs do?
Private online security companies have taken the initiative to provide small businesses with similar cyber security health check tools, like this one by AVG. It may not be as in depth as a health check performed on behalf of the country’s intelligence agencies, but it covers all the topics that need to be considered when looking to improve the online security of a small business, from data storage to encryption, protective software and staff education.
Another avenue to explore is nominating a cyber-security champion in your business. One of the biggest issues faced by small businesses is the lack of resource and know-how dedicated to cyber-security, but according to Verizon’s 2013 Data Breach Investigations Report, most breaches can be easily prevented, as 78% of techniques used are unsophisticated. So, if you can’t justify the budget to employ an IT specialist, why not look within your four walls if an existing employee would like to step up?
Empowering and training an enthusiastic employee to own online security matters can make a big difference. From keeping on top of the administration of protective software to establishing processes, building a culture of cyber security or even learning the basics of penetration testing, the scope is large and can evolve along your business needs.
Sabelline Chicot is a digital writer and editor covering small business and entrepreneurship matters. With five years' experience in the tech and digital industries spent in editorial and marketing roles, Sabelline developed a passion for new technologies, and the great potential they offer to small businesses.