Author Trevor Clawson
Britain’s small and medium-sized businesses have never been at greater risk from cyber attack and yet 50% of companies are not looking for digital security skills when they take on new IT staff, according to a new survey by online recruitment company CW Jobs
UK government figures released in 2017 suggest that seven in ten ‘large’ businesses have fallen victim to cyber attack over the last year while 45% of small companies identified at least one security breach during the same period. And the threat appears to be growing. In its latest assessment of digital crime – released in September – European law enforcement agency Europol said there had been an unprecedented wave of attacks over the past year.
Businesses of all sizes are under threat, but as the CW Jobs report points out smaller companies may be in particular danger, not least because they lack the in-house resources that would enable them to deal effectively with attacks.
Businesses are facing a broad range of threats from an increasingly sophisticated criminal underworld. The traditional image of the malicious hacker as a lone wolf out to attack individual companies for personal, political or monetary reasons has given way to a broader and perhaps more alarming picture of organised criminal groups using all the technologies at their disposal to target companies.
According to Andy Baxter, CEO of e-commerce platform, Internet Gardener, SME businesses are often seen as easy prey.
“We often associate fraud with larger corporations, but it’s important not to forget the huge issue that fraud plays for SMEs, “ he says. “Within the last few years studies have shown that SMEs with more than nine employees are most likely to fall victim to fraud.”
Online criminal activity is continually evolving but as things stand, small and medium-sized businesses face a number of very specific threats. Of these, ‘phishing is probably the most common. A typical phishing attack will involve a fraudulent email purporting to come from a colleague or a partner company, which invites the recipient to click on a link. In most cases, once the call to action has been heeded, malware or spyware is downloaded onto the company’s system. This can be used to gather information or – more probably – harvest bank account or transaction details. In a variation on a theme, a phishing attack might involve the victim linking to a fake website – perhaps a bank – where he or she is invited to key in account details.
Phishing attacks are dangerous because information breaches may go undetected for some time. A newer phenomenon – namely ransomware – has an immediate impact. Once again, malware is delivered via an email link but in this case, the malicious software looks up key files on the company’s system. The attackers will then demand a ransom in return for unlocking the files.
These forms of attack can spread rapidly because the malicious software is typically also programmed to read the contacts file of the victim company’s mailbox and resend the original message. So while the original target may be a large company, dozens or perhaps thousands of small businesses could also receive the infected message.
Meanwhile, cybercriminals are also mounted low-tech confidence-trick attacks. Individuals within companies receive apparently genuine instructions from a CEO or Finance Director to pay a client. The member of staff dutifully obeys and the money is transferred to a criminal bank account.
Paul MacPherson, head of Security at online accountancy firm Xero recommends a number of measures to reduce the risk of fraud, including installing the security software, upgrading existing systems, backing up files securely, setting up secure passwords and raising awareness among employees. But as he acknowledges: “Safeguarding against cyber attack requires consistency, intelligence and forethought.”
The Skills Shortages
So, a key challenge facing employers lies in implementing policies and procedures to limit the chances of an attack achieving its objective, while also putting in place and maintaining all the necessary technical defences – firewalls, anti-virus software, etc – in place. This inevitably requires teams who understand the vulnerabilities of the system and who can also act quickly when a breach occurs.
But the CW Jobs report points to genuine gaps in available expertise. More than three-quarters of employers said they were struggling to recruit cyber-security experts, blaming skills shortages and competitive hiring.
But training policies – or the lack of them may be contributing to the skills shortages. A large majority of employers (75%) expect universities to educate computer science students in security skills. Internally, very few (22%) are taking it upon themselves to provide relevant training to existing staff. When graduates were asked about their own experience, a majority said they had not received sufficient training. With neither employers nor universities and schools providing security education, the skills gap seems likely to continue for some time.
So what is to be done? Inevitably employers are looking to the government for more help, with 65% calling for more investment. According to Dominic Harvey CEO of CW Jobs, there is some light at the end of the tunnel in the shape of plans put on the table by Westminster.
“The government has started taking steps to address the skills gap with plans to treble the number of computer science teachers in schools, introduce a national centre for computing, and boost digital skills with the provision of distance learning courses,” he said.
And with just over half of employers pledging to provide training for entry-level staff, Harvey sees further hope that the security-related skills shortages will be ultimately be addressed.
In the meantime, though, a rising digital security threat, coupled with a shortfall in fully trained staff suggests that SMEs will be particularly exposed to the activities of online criminals.