We recently published a news story detailing a study, which revealed more than half of UK businesses would consider hiring a ‘hacker’ or person with a criminal record to help them defend against cyber attacks. This seemed to come with mixed responses, both in our office, and from some of our fans on social media.
On the one hand, there was the point of view that hiring hackers all seems a little too far-fetched for most small businesses, and is a precautionary step that would burn too big a hole into budgets at a time when small businesses could be saving. Admittedly, it does all seem a little bit too Mission Impossible and not enough Business for Dummies.
On the other hand, reactions were in support of the idea of hiring hackers, or cyber-security personnel, as data theft and online fraud is a very real threat.
Despite the disagreements, it raised a debate that people wanted more information on; cybercrime. How serious is it, and should you be ‘hiring hackers’ for your small business?
The dangers of cybercrime
Cybercrime is something that is very difficult to spot, and therefore is often not taken seriously at a threat to small businesses. If you ask a shop to leave their doors unlocked for the next week, you’ll get some funny looks. Rightly so. Ask a business owner to leave their website, data storage or internet connection unsecured and you’ll get some equally funny looks, only this times ones of confusion and blank faces.
“It is a bit like terrorism – the more you know the more frightening it looks” – Baroness Neville-Jones.
Cyber crime cost the UK £27 billion, in 2010, and this has been increasing year on year ever since then. The difference between cybercrime, and someone bursting into a shop and throwing items into a sack is that cybercrime is comparatively invisible, and very difficult for an untrained business owner to combat on their own.
In July, 2013, the average weekly spend online was £586.6 million. With the introduction of Black Friday to the UK sweeping across the country, online shopping becoming much more streamlined and businesses seeing the benefits of an ecommerce options, this figure is constantly growing. the downside to this? More and more money is being transferred across the internet and vast amounts of data are stored within databases owned by business who have the equivalent of an unlocked door guarding it.
A report by Detica, in partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office states that despite the large numbers of citizens who have an internet connection (80% of households in 2012) and actively use online shopping and banking services, it is UK business that suffer:
“Although our study shows that cyber crime has a considerable impact on citizens and the Government, the main loser – at a total estimated cost of £21bn – is UK business, which suffers from high levels of intellectual property theft and espionage”
The forms of cybercrime
The reason so many small businesses are getting caught off guard when it comes to cybercrime and online theft is because they do not know what they are looking for, what they need to protect and secure, or have the appropriate staff/skills to do anything about it. There is a very real shortage of internet security specialists available, and aggressive head-hunting means that they can often be unaffordable to the average small business. “The problem is compounded by the lack of a clear reporting mechanism, and the perception that, even if crimes were reported, little can be done”
The forms of cybercrime that can affect civilians and businesses alike often fall under two main umbrellas:
Identity theft
With identity theft, cyber criminals often obtain personal data from individuals (addresses dates of birth, bank account details) and use them to exploit this online, by opening up fake accounts in the names of other people. For the most post, victims of this are often blissfully unaware of what is happening until the impacts become severe.
Online scams
Where cyber criminals obtain financial or other valuable information by fraudulent means, often by tricking people using scams like:
Purchase frauds (Receiving payment for an item they never intend to dispatch)
‘Phishing’ (Sending fake money-transfer requests from foreign countries to thousands and thousands of emails at a time)
‘Spear phishing’ (the same as phishing, only with highly personalised e-mails, targeted at specific individuals)
‘Spoofing’ (Encouraging people to enter details into a fake website)
‘Pharming’ (Redirecting website traffic from a legitimate website to a fraudulent site, often styled to look and behave the same)
Some other forms of cyber crime can include:
Scareware
Fiscal Fraud
Theft from businesses
Extortion
Customer data loss
Industrial espionage
IP Theft
Money Laundering
Whilst a lot of small businesses may feel too small to be affected by cybercrime, stealing a couple of hundred customer details from a completely unsecured business can be worth it for criminals. Similarly, tricking an employee into entering sensitive company data in what they think is a safe site can prove to be detrimental. There is no such thing as a business to small, with a crime that’s often quick to pull off, relatively anonymous and cheap to do compared to the outdated style of breaking down doors and stealing physical money.
What do cybercriminals target?
Unlike a physical robbery, where the victim will lose their property in the act, the theft of information by cyber criminals might not, and in most cases won’t, result in the loss of anything physical at all. In many cases, it might not even result in the loss of anything digital either, as copying data is just as easy, leaving the original data exactly where it was (therefore making it even harder to spot until it’s too late)
Information often stolen by cyber criminals often falls under the following categories:
Bulk business data
Usually consisting of sensitive customer information (such as addresses or financial details). Any associated data breaches can carry large regulatory penalties for the affected business, not to mention the huge reputational damage. Sony were fined £250,000 in 2011 for a breach of their PlayStation Network.
High Value IP
The types of IP (Internet Protocol) most likely to be stolen by cyber criminals are designs, designs, methodologies and trade secrets. This can include anything from product prototypes, corporate strategies, documents details businesses processes , staff details, skills sets or descriptions of company weaknesses. This is the equivalent of someone stealing your personal diary, and using it to bring you down, or outperform you at something.
Tactical Corporate information
This is often low volume, short-term sensitive information. Think bid prices, share-price sensitive information or other important communications. This will have a high financial impact if it obtained by the wrong people. Cyber criminals who operate on the stock market often focus on this form of cybercrime, as getting this information can be very effective to the criminal if they know what to do with it and who to sell it on to.
How to protect yourself against it
There isn’t really a definitive answer to completely protect against cyber crime. As people become more secure, cyber criminals becomes more technologically capable. The first step is to know about the dangers of it.
Whilst hiring your own cyber defence consultants or employees may still seem a little far fetched to you at the moment, for your businesses, it is important that business owners know the risks of online attacks, and work towards ‘locking’ their online doors. We suggest:
Educating yourself on cybercrime
Educating your staff on how to avoid becoming a victim of it whilst at work, and at home (See this article by Norton Security)
Looking into training staff about the intricacies of cyber security
If you deem it appropriate, set up a strategy to hire a few experts in the field of cyber security, or hire a consultant.
Sources:
http://www.wired.co.uk/news/archive/2014-11/17/kpmg-big-companies-should-hire-hackers
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/246749/horr75-summary.pdf
http://www.bbc.co.uk/news/uk-politics-12492309
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60943/the-cost-of-cyber-crime-full-report.pdf
http://uk.norton.com/prevention-tips/articleBack