CYBER ATTACKS ON SME’s - REAL OR IMAGINED?
It’s an interesting question and one that has been endlessly debated over the years. Is an SME worth the effort of a Cyber attack? It’s difficult to assess just how many Cyber attacks there are annually, aimed at SMEs in the UK. Some studies suggest that they have increased tremendously in recent years. Most large organisations have the capability, but not always the will it has to be said, to determine just how many attacks they sustain, how many were successful and what the loss has been, quantified in financial terms. SMEs do not.
There can be many motives for a Cyber attack, ranging from mischief, ie the script kiddies who do it because they can, or are experimenting, honing their skills, right up to a hostile intelligence service attacking multiple organisations to disrupt commerce and attack a nations critical national infrastructure (CNI). If you think that that simply wouldn’t be worth their while, then ponder on the Department for Business, Energy and Industrial Strategy statistic that 99.9% of 5.7m businesses in the UK are defined as small to medium ie employees from 1 to 250. Yes, only 0.1% of businesses have more than 250 employees. So in order to disrupt the CNI, attacking SMEs is very worth it.
That said, it is arguable that most attacks will be undertaken by Cyber criminals for profit and that many of these attacks will in fact take the form of some sort of scam, some using a technical attack and others purely based on social engineering, or a combination of both.
SMEs are often very reluctant to spend time, effort and money to combat these, in their view, perceived rather than real attacks. We can understand that. SMEs are often operating on very small margins and simply don’t have the budget for the kind of monitoring that is required in order to gather the kind of information needed to demonstrate that they are, or have been, or are vulnerable to, an attack. Most rely on a local IT company, usually a VAR whose business is dependent upon selling hardware and software, sometimes with attached services to install and configure what they have sold, but who do not carry out any kind of in depth analysis of the clients threats, vulnerabilities and risk, in order to examine exactly what kind of protection their client actually needs.
Nonetheless SMEs remain vulnerable to sabotage of data networks; loss of information, both in terms of business intelligence and personal information subject to regulation under the DPA 2018 and GDPR; financial fraud; denial of service and malware attacks. All of these can be quantified in financial terms, if the information is available to do so. Very limited attention has been focused on SMEs inability to recognise and account for losses sustained in this way.
The challenge then is how does an SME undertake the kind of assessment which enables it to understand its business risk, and vulnerability to the threats posed by the various methods an attacker might use? This is something we, as a consultancy, have looked at very seriously. Taking our experience and expertise gained working for the major enterprise organisations, providing protection not just in the private sector but for major government departments, we had to come up with a way of delivering that to SMEs at a price they can afford.
We believe we have achieved this through a mixture of fixed price delivery (our Cyber Maturity Assessment) and monthly subscription pricing, pegged at an affordable level, to enable the problems identified in the CMA to be fixed and an on-going service providing a virtual Cyber Security Manager and/or a Data Protection Officer, to be provided.
If you would like to know more please contact us on firstname.lastname@example.org or check out our web site www.hah2.co.uk.