Could your SME be the next cybercrime target?

Commercial Lines

Could your SME be the next cybercrime target?

Published: 17 October 2018

Imagine your CEO is on holiday. You receive an email from her saying that she needs funds to be released in order to make an urgent payment. The email address looks like her usual one and it addresses you by name. Nothing looks suspicious. So you release the funds, right?

If you did, you’ve been successfully ‘spearphished and the business will probably never recover that money.

It’s not just big businesses that are susceptible to cybercrime. It’s SMEs as well. These smaller businesses are arguably even more vulnerable, considering they frequently don’t have the awareness or resources required to mitigate the threat. In fact no-one is safe. Cybercrime has become so pervasive, the World Economic Forum named it one of the top three global risks for 2018.

In the latest Santam-hosted BDTV panel discussion, Simon Colman, Executive Head of Digital Distribution of SHA specialist underwriters; Colin Thornton, Managing director of // Turrito; and Macleod Burrill, co-founder and General Manager of IT security consultancy, Cybersafe, discussed how small business can protect themselves from all kinds of cybercrime.

Here are some of their key findings:

For a small business, cybercrime can have devastating consequences. Think of a boutique guesthouse. If it gets hacked and can’t take bookings for a few days in the busy season, imagine the effects of this. There are often big financial implications from cybercrime, not to mention liability issues and reputational damage. For example, if an SME gets hit and clients’ personal information gets leaked, the business could be sued.

The problem is small businesses often operate under the false assumption that they’re too insignificant to be targets. But the simple fact is that if you have computers that link out to the Internet then you’re at risk. Two big issues exacerbate small businesses vulnerability:

  1. Lack of awareness
  2. The perception that it costs too much to protect the business

Panel member Burrill mentioned that his company sees many SME customers deal with ransomware attacks on a weekly basis. Which is in line with SHA’s statistics, which show that cybercrime has touched over 30% of small businesses in the last 24 months. Importantly, these hacks don’t target specific industries or kinds of organisations, but rather all business across the board.

The different types of cybercrime small businesses are likely to be hit by:

  1. Kind of cybercrime: data theft

How it works: criminals hack into your system to steal sensitive information – usually your client or employees’ data. The data is then either sold on the dark web (a part of the internet, invisible to most users) or the business will be blackmailed into paying a sum of money to avoid the publication of data which would result in reputational damage (and possible litigation from customers

Who gets targeted? If you keep any kind of sensitive information then you’re more at risk. For example, a small attorney’s office is obviously a more fruitful target for this kind of hacker than a curry restaurant.

What can small businesses do? Firstly, know you’re vulnerable to attack. Realise that anti-virus software isn’t enough – you need the right hardware, firewall software and end-point security. Confused? You also need an expert to advise you on what you need!  

Important to know: The EU general data protection regulations have just been introduced and South Africa’s Protection of Personal Information act (PoPI) should come into full effect soon. Businesses are legally obligated to do everything they can to protect data – and there’ll soon be harsh penalties imposed for breaches. If your business deals with any kind of personal information – even usernames and passwords – you need to be aware of the PoPI act and you need to put the necessary policies and procedures in place.

  1. Kind of cybercrime: Phishing

How it works: Traditional phishing involves a blanket mail being sent to thousands of people in the hope that someone will click the included web link and get tricked into giving away private information, like credit card numbers, usernames and passwords. A big trend now is spear-phishing.

Spear-phishing is targeted at a specific individual – you could receive an email personally addressed to you from your ‘bank’ or your ‘boss’ asking you to check your details or immediately release funds. This is a lot more dangerous and malicious, because the sender obviously knows who you are, where you work, where you bank, the name of your boss… From a small business perspective, individual employees get targeted so it’s imperative all team members are aware and NEVER disclose sensitive business information or release funds unless this action has been authorised by multiple people face-to-face or over the phone. People also need to be incredibly careful with their personal and professional details – the Internet and social media have made our lives transparent and criminals are using this to their advantage.

If you get spear-phished and release funds, call the bank immediately to try to cancel the payment. Unfortunately, by the time people realise, it’s often too late.

What can small businesses do? Pay more attention and get staff to do the same. Educate team members so they always examine emails carefully and never click through to a website via an email link. There are software solutions that scan emails and international servers to filter out ‘bad emails’. But it’s also a case of everyone doing due diligence and being aware of risks.

  1. Kind of cybercrime: Ransomware

How it works: Ransomware is malicious software (malware) that takes over a computer and then holds data hostage – sometimes a whole site – unless a business/ individual pays up, often in Bitcoin or another cryptocurrency. If you pay, you’re usually given a decryption key which restores your data. Ransomware usually gets access through phishing or it’ll find a security ‘hole’ that’s lets it in.

What can small businesses do? Most importantly, you need to do regular back-ups. In an ideal world, you’d simply delete the encrypted information and upload the back-up and restart. If you don’t have a back-up, this won’t be possible. If you do pay up, you run the risk of being targeted again. And there’s also no actual guarantee the hacker will give you the decryption key.

  1. Kind of cybercrime: Hacking of Internet of Things (IoT connectivity)

How it works: Firstly, the IoT refers to the connection of the Internet to everyday objects that have computing devices embedded within them. From a small business perspective, this would include things like a printer with an IP address, IP cameras, a router, laptops and smartphones. Basically any connected devices are vulnerable if they don’t have some kind of protection.  Even company cars – as shown through the Jeep that got ‘hacked’. This kind of cybercrime is only going to get more pervasive and we become increasingly reliant on technology. Consider the implications if Suri, Apple’s ‘assistant’ or Alexa, Amazon Echo’s voice assistant, got hacked, for example.  The hacker would basically know almost everything about your life.

What can small businesses do?  Not much at the moment to be honest. Protect your perimeter, set up firewalls and get cybercrime insurance. For as little to R5-10k a year, you could get over a million in cover. It’s cheaper than car insurance. And honestly, you’re more likely to be hit by ransomware than a car.

The average SME hack attack can cost small businesses anywhere between R50,000 to R250,000 to recover from whereas the average monthly cybercrime instalment premium is generally less than R1000. It seems like easy maths.

Finally, here are the panel’s top safety tips for all kinds of cybercrime:

  1. Think before you click on any link in an email.
  2. Educate your team on what to look out for.
  3. Do back-ups. Regularly. And keep these in a safe place.