Cyber risks are universal. First, it’s clear no business is too small to escape the attention of attackers. Symentec’s recent survey of incidents in 2015 shows that nearly half of attacks logged globally targeted companies with fewer than 250 staff.
Sometimes smaller firms are seen as a back-door to the larger clients they service. We know high profile data breaches in the past, such as those of Target and Home Depot, have been the result of breaches in the security of their vendors. In other cases, as Symantec’s chief strategist explained, it is because small firms are seen as a “soft target”.
Occasionally – as when ISIS turned its attention on a micro business in East Sussex supplying solar panels – there seems to be no rational explanation at all.
In any case, small businesses must be prepared for not just an attack, but a successful one: Three quarters of SMEs in 2015 experienced a security breach, the BSI points out. As threats proliferate, that figure is unlikely to fall.
Equally, though, it’s also clear that no business is so big – or so sophisticated in terms of its cyber defences – that it’s invulnerable to attack. In fact, far from it.
Two recent attacks illustrate that well. One is the hard-to-credit theft of $80m (£56m) from Bangladesh’s central bank in February. As recent reports make clear, this was largely down to the appalling state of security at the bank.
Even in a poor country like Bangladesh, the central bank can expect to be reasonably resourced. Yet reports last week suggest the theft was facilitated by the bank’s decision to skimp on basics. The country’s reserve bank was operating without a firewall and using second-hand $10 routers.
Even where the technology’s right, though, people can get it badly wrong. Again, no one is immune; Internet security firm Malwarebytes, for instance, nearly fell for a “fake president scam”, its CEO Marcin Kleczynski admitted recently. The company’s CFO, receiving a fraudulent email purporting to come from Kleczynski and requesting a wire of $52,000, actually uploaded it. It was only caught because the company’s internal processes require a two-step validation. Others, targeted for far more, have not been so lucky – and such attacks are on the rise.
No one is pointing fingers. Some of these frauds are extremely sophisticated. That, though, is all the more reason to be vigilant and to avoid the simpler mistakes. But the main lesson to take away is just this: We must never assume that our systems are safe.