Cyber risks are universal. First, itโs clear no business is too small to escape the attention of attackers. Symentecโs recent survey of incidents in 2015 shows that nearly half of attacks logged globally targeted companies with fewer than 250 staff.
Sometimes smaller firms are seen as a back-door to the larger clients they service. We know high profile data breaches in the past, such as those of Target and Home Depot, have been the result of breaches in the security of their vendors. In other cases, as Symantecโs chief strategist explained, it is because small firms are seen as a โsoft targetโ.
Occasionally โ as when ISIS turned its attention on a micro business in East Sussex supplying solar panels โ there seems to be no rational explanation at all.
In any case, small businesses must be prepared for not just an attack, but a successful one: Three quarters of SMEs in 2015 experienced a security breach, the BSI points out. As threats proliferate, that figure is unlikely to fall.
Equally, though, itโs also clear that no business is so big โ or so sophisticated in terms of its cyber defences โ that itโs invulnerable to attack. In fact, far from it.
Big phish
Two recent attacks illustrate that well. One is the hard-to-credit theft of $80m (ยฃ56m) from Bangladeshโs central bank in February. As recent reports make clear, this was largely down to the appalling state of security at the bank.
Even in a poor country like Bangladesh, the central bank can expect to be reasonably resourced. Yet reports last week suggest the theft was facilitated by the bankโs decision to skimp on basics. The countryโs reserve bank was operating without a firewall and using second-hand $10 routers.
Even where the technologyโs right, though, people can get it badly wrong. Again, no one is immune; Internet security firm Malwarebytes, for instance, nearly fell for a โfake president scamโ, its CEO Marcin Kleczynski admitted recently. The companyโs CFO, receiving a fraudulent email purporting to come from Kleczynski and requesting a wire of $52,000, actually uploaded it. It was only caught because the companyโs internal processes require a two-step validation. Others, targeted for far more, have not been so lucky โ and such attacks are on the rise.
No one is pointing fingers. Some of these frauds are extremely sophisticated. That, though, is all the more reason to be vigilant and to avoid the simpler mistakes. But the main lesson to take away is just this: We must never assume that our systems are safe.