Types of cybercrime and how to prevent it
Barely a week goes by without cybercrime hitting the headlines, but stories tend only to involve major cases that affect huge corporations.
The reality is that any business is at risk of attack, which means every business needs to be aware of the dangers and how to minimise them.
In this article, we take a comprehensive look at the cyber threats small business face.
‘Cybercrime’ is a sweeping term that covers many areas, the biggest of which is data theft. Data is so appealing to criminals because it’s valuable and easily transported. Stealing £2,000 worth of stock might require a couple of hours and a small van, but data worth millions can be taken in minutes – and by a cybercriminal based anywhere in the world.
For a small business, even an attack that results in a relatively small loss can be catastrophic. A 2016 survey by the Federation of Small Businesses found that the average cost of cybercrime for its members was almost £3,000. That’s enough to wipe out a start-up’s working capital.
Regulations set by the EU in 2018 also mean any business could face fines of up to 4% of annual turnover for failing to protect customer data, and that could be ruinous for anyone. So what’s to be done?
The multi-faceted nature of modern cybercrime means that there isn’t a single technological countermeasure.
Here are four of the most common types of cybercrime, according to the Federation of Small Businesses (FSB).
- Phishing – web sites, phone calls and spam emails that appear legitimate, but are actually scams designed to acquire private data. Phishing accounts for 49% of reported cybercrime across all sectors, according to the FSB. ‘Spear phishing’, where an email appears to be from a known person or organisation, accounts for 37%.
- Malware – malicious software installed inadvertently, usually by visiting a malware-infected (but otherwise genuine) website, or by opening an attachment from a phishing email. Malware can be used for anything from spying on keyboard input to infiltrating secure networks, and accounts for 29% of reported cybercrime.
- Denial of Service (DOS) – a mass orchestrated attack that floods a computer system (often a website) with countless requests for information, rendering it incapable of responding to real users. DOS attacks typically rely on ‘botnets’ – vast networks of hacked and remotely controlled computer systems – and make up 5% of attacks.
- Ransomware – a type of malware that locks users out of a computer system, often by encrypting its data, and threatens deletion until a ransom is paid. 4% of small businesses have reported ransomware attacks, according to the FSB, while other research reckons 54% of all British businesses have been targeted.
Small businesses fall victim to cybercrime twice a year, on average, so it’s a case of ‘when’ rather than ‘if’ when it comes to an attack – and you need to be ready.
Relying on common sense as a countermeasure for social engineering attacks isn’t enough (remember that 49% figure for phishing attacks), but staff training can make a huge difference. Identifying sophisticated phishing spam by sight may not be easy, but knowing that legitimate organisations never ask for login details by email is more easily remembered.
1. Staying up-to-date is essential
Sensible and well-implemented IT policies are also key and these needn’t be complex. For example, a 2016 survey by Manta revealed that 61% of small businesses were still using versions of Internet Explorer that were up to eight years old. Older web browsers present gaping security holes for cybercriminals to exploit. Simply upgrading to the latest version of a browser will block most web phishing attempts and a wide range of other web-based attacks.
2. How the cloud can help
Cloud backup services are the obvious answer here. Secure and redundant offsite storage is expensive, but cloud storage makes it much more affordable – and there’s no backup hardware to maintain. With backups available instantly in any place, lost data can be restored quickly in the event of a serious attack and business resumed with minimal disruption.
The cloud is also an invaluable asset for other security measures. Cloud hosting makes web sites much more resilient to DOS attacks than self-hosted setups, for example, since providers can rapidly deploy additional hardware (and considerable expertise) to cope with even the most determined. Again, these resources are ordinarily beyond the reach of even sizable businesses, but the cloud makes them affordable to even the smallest.
3. If an attack happens
The complexities of cybercrime mean there can be no guaranteed defence, but a clear plan for limiting the damage caused should an attack succeed will make a big difference in the days that follow.
Most important here is knowing when an attack has actually happened and that’s not always easy. Unlike more traditional crime, cybercrime can leave few traces. Research by online security company Trustwave found that the average time between an attack and its discovery was 80.5 days – ample time to cause irreparable financial and reputational damage.
Intrusion detection needs more than just up-to-date anti-malware software. Computer systems require constant monitoring to detect abnormal behaviour, but that obviously hinges on what constitutes ‘normal’ behaviour. So if you have limited expertise and resources, you should seek expert help – don’t wait for a customer to break the news of a security breach on social media.
4. Dealing with data breaches
Other steps depend on the type of attack. Where data theft is involved, locking down the affected systems to limit further damage should be a priority, as should identifying the target.
The appropriate classification of sensitive data will also help. Just like a pre-prepared inventory of office equipment will help assess the loss following a break in, knowing the kind of data that’s been stolen will help determine a suitable course of action. There may not be great cause for concern if a list of supplier names has been illegally accessed, for example, but the same can’t be said when it’s a list of customer credit card details.
Affected parties also need to be notified about data breaches as soon as possible, along with relevant law enforcement agencies. Depending on your type of business, you may also need to inform the Information Commissioner’s Office within 24 hours of discovering the breach.
A public statement may also be necessary, but keep this simple and factual, and follow the advice of security experts and law enforcement, where appropriate.
Small businesses alone deal with around seven million cases of cybercrime each year, with annual combined losses reckoned to be some £5.26 billion. Attacks are also on the rise, thanks largely to the lack of adequate defences, and losses from a successful attack can be terminal.
So awareness of the threats posed by the various forms of cybercrime is essential, as is taking the steps necessary to mitigate against them.
It’s also advisable to take advantage of UK government initiatives for dealing with cybercrime. The 2016 National Cyber Security Plan will spend £1.9 billion between 2016 and 2020 on a range of measures, for example, including a new national cyber security centre that will provide advice and support on managing attacks.
Simply defending against cybercrime is not enough – small businesses need to be proactive, and those that understand and act on this advice now will reduce their risks and improve performance.