We have seen how the pandemic has compromised cybersecurity, with cybercriminals and scammers taking advantage of a reduced level of security at some companies resulting from the unexpected and rapid rise in homeworking.
When it comes to the alarming statistics and reports around cybercrime, it appears that no industry or sector has remained unscathed. The result has often crippled victims’ IT systems and forced them to pay out huge ransoms to get back online, or see their data returned. Such is the threat that cyber security was listed as CEOs’ top issue in KPMG’s 2021 CEO Pulse survey – beating regulatory, tax and supply chain concerns.
Given the coverage of such largescale attacks, there might be the misconception that cyber-attacks or data breaches are things that only happen to larger companies. But small organisations are just as much at risk of suffering a cyber-attack as their larger counterparts.
A perfect storm
The disruption caused by the pandemic, combined with establishing a new remote workforce has resulted in a surge of sophisticated cyber-attacks and breaches. Recent research shows that 86% of UK cyber-security professionals said attacks increased due to employees working remotely.
Similarly, the rush to establish remote workforces led to organisations inadvertently relaxing security or misconfiguring devices. These gaps in traditional cyber defences, combined with changing working patterns, made it more difficult to spot potential attacks, meaning that the pandemic created a ‘perfect storm’ for cyber-attacks.
According to figures from the UK Department for Digital, Culture, Media and Sport (DCMS). two in five businesses and more than a quarter of charities have in recent times reported having cybersecurity breaches or attacks.
Elsewhere, a lack of expertise is having the greatest negative impact on cyber resilience within small businesses, according to a poll run by Infosecurity Europe. Almost half believe small companies bear responsibility for educating and supporting themselves in becoming cyber resilient.
However, when asked how the pandemic has affected their spending on cyber resilience, a quarter of small businesses (24%) have spent less. Only 18% have spent significantly more, while 43% say that ‘little has changed’.
Understanding the threat
This underlines how critical is it for smaller businesses to realise that they can be an easy target for cybercriminals and fraudsters. With businesses implementing hybrid working post-pandemic they have become susceptible to frequent automated attacks which place them in a vulnerable position.
Now more than ever, firms need to focus on their bespoke security needs as businesses’ IT architecture becomes more complex. Cybersecurity and IT support are actually different jobs, with security now being a separate standalone discipline. The assumption of any SME to believe that their IT support is looking after their security, when in reality it may not be, is not only dangerous but could have huge ramifications for firms and their clients.
“Any business that holds either their own or their clients’ confidential data that is involved in financial transactions, or relies on technology systems and platforms to operate on a daily basis, provides cyber criminals with an opportunity for payment diversions, data theft, and ransom demands,” says Damian Wasey, chief commercial officer at cybersecurity support firm, Mitigo. The result of this threat to smaller firms also means they are being squeezed out of supply chains because they cannot satisfy their contractor cybersecurity requirements.
“This is hardly surprising,” he adds. “Larger companies are becoming aware that in this connected world, the bad guys are using smaller suppliers to infiltrate their own defences.”
Complacency among firms
So, are firms too complacent about security? According to the NCSC Cyber Security Breaches Survey 2021, there are some worrying signs of complacency among UK businesses when it comes to cyber threats.
It says fewer businesses are using security monitoring tools to identify abnormal activity that could indicate a breach. This suggests firms are less aware than before of the breaches and attacks staff are facing. The figure has dropped five percentage points since last year to one in three firms. Only 83% of businesses have up-to-date anti-virus software – also down five percentage points from the previous year.
Nearly half of businesses (47%) have staff using personal devices for work, but only 18% have a cybersecurity policy on how to use those personal devices at work. Less than a quarter of businesses (23%) have a cybersecurity policy covering home working.
NCSC Cyber Essentials
NCSC Cyber Essentials is a government-backed scheme that helps firms protect their organisation, whatever the size, against a range of the most common cyber-attacks.
A readiness tool asks a series of questions to help prepare businesses to achieve the Cyber Essentials certification. The tool asks questions about use of hardware, software, and boundary devices such as firewalls, as well as use of passwords and protections against malware.
Upon completion of the survey, organisations are presented with a bespoke action plan that outlines the steps needed to prepare for the certification process. Visit NCSC Cyber Essentials.