Cyber Risks Every Small Business Must Understand

Introduction

In this article, I'll explain the online risks that every small business must understand the types of cyber-attacks that we're seeing right now, the business sectors that are most exposed, and how GDPR, the EU's data protection law, has increased the obligations of all businesses.

The cyber threat to small businesses has never been greater than now and the financial livelihood of small business owners could be severely impacted by a cyber-attack. 

 Hi, it's John Byrne here entrepreneur, insurance professional, online educator, and founder of Surviving Cyber, where I help small business owners get to grips with cyber risks. This short series of articles about cyber risk and cyber insurance will help you prepare for an incident and keep your small business and your people safe.

I hope you're ready to dive in. This article covers online risks that every small business must understand. Later on, I'm going to share some surprising findings from the 2022 Hiscox Cyber Readiness Report that you'll want to hear.

What this article is about

In this article, we're looking at the sources of risk, threats and incidents that are seen at the moment, and sectors of the economy that are particularly exposed to cyber risk. We'll finish with a look at GDPR and the cybersecurity implications of the legislation.

We begin with the sources of risk. When most people think about cyber risk, they automatically think about technology. There is no doubt that technology is a big part of the puzzle, however, a focus on technology to the exclusion of other sources is a mistake.

The two other pillars of cyber risk are people and governance. And by people risk, we mean the way that people behave in the work environment. It's claimed that 90% of all data breaches or cyber incidents are attributable to people and to the way people click on links or open documents loaded with malware or do something problematic, generally because of a lack of training.

Governance is about how businesses are operated and managed and whether, for example, a business holds itself to any information security standard.

So, these three sources of risk together, technology, people, and governance, are widely agreed to be the three pillars on which cyber risk is best analyzed. Cyber is a complex business risk and not just a technology risk. People's behavior plays a huge part in cyber risk, and good organizational governance is essential to getting on top of this problem.

Cyber incidents and threats that are seen today

Now, I need to say something about the incidents and the types of threats that we're currently experiencing. I will discuss seven different types of cyber-attack.

  • Let's start with ransomware. The frequency and severity of ransomware attacks have dramatically increased in the last two years. Previously ransomware was a relatively simple matter of a cybercriminal encrypting your data and your system and holding you to ransom until you paid a ransom.  The cybercriminal might then release the data or the system by giving you a decryption key. This was ransomware until about 24 months ago. Now the situation is far worse. What the cybercriminals are doing now is extracting the data from your system prior to launching the ransomware. Then following the payment of the ransom, they threaten to release your data on the dark web. So, in fact, they're going for two bites of the cherry. It cannot be overstated how dangerous and how frequent this ransomware threat has become.
  • Phishing is number two on the list. Phishing is where the cybercriminal is pretending to be somebody that they're not - generally, a trusted party, such as a bank or someone with whom you are accustomed to dealing. In a phishing attack, the cybercriminal will send an email demanding information or requesting information. It can be passwords, usernames or something else that's useful to them with the mail coming from either a genuine but compromised email account or an email account that's been created specifically for the purpose of phishing that looks legitimate but isn't. There are many different types of phishing attacks, and these have mushroomed since COVID-19 started. It was estimated that phishing attacks increased by   600% in 2020 because of the stress of COVID-19, and the susceptibility of people to being phished.
  • Number three is Business Email Compromise (BEC) and CEO fraud. These are versions of phishing attacks. Generally, in a BEC attack, an email account is taken over. The emails sent appear to be legitimate, but they're not. Under CEO fraud, the emails appear to be from the CEO and they usually request a payment to be made. They're entirely bogus, but they pull on all the human weaknesses by demanding the payment be made. Generally saying “I'm out of touch and I can't be reached, this is an urgent payment. Go ahead, and I'll sign off later”. Something of that nature would be CEO fraud.
  • Number four is malware. Malware has been around since the 1970s when the first virus programs were found. But malware has become more and more aggressive over the years. So, it never goes away and is always a threat, whether a Trojan, any form of a malicious link, a worm, virus, or any other form of malware, all remain very dangerous for IT systems.
  • Number five is "denial of service", or "distributed denial of service" (DDoS). This is a particular threat to telecom companies, companies that operate large-scale internet service providers, or businesses providing technical services on a big scale. Essentially, what happens here is multiple computers are linked together in an attack demanding service from the target business's IT systems, so much so that causes the systems of the target business to crash and the service to be denied.
  • Number six is social engineering. Social engineering is manipulating human beings to do things that we wouldn't normally do, using all of the psychological triggers that we respond to. These are generally fear, greed, pride, and all of the powerful emotions that run our lives. We're literally “engineered” to do things we shouldn't do and wouldn't normally do.
  • Number seven is hacking. Hacking is injecting computer code into existing programs for the purpose of breaking into a system or for some other malicious purpose. Hacking has been a threat since IT systems began and it never goes away. 

And so, these are the threats that we're seeing every day in Irish and UK businesses. These are very real threats today, especially ransomware, phishing, business email compromise, and social engineering.

What Sectors are being attacked?

You may ask if specific sectors of the economy are under threat. Well, the truth is, all sectors of the economy are under threat. However, there are certain sectors that appear at the top of the list consistently:

  • Banking, insurance, and financial services generally are very close to the top of any cyber-attack list. 
  • Because of COVID-19, we've seen health care and social care, go right to the top as well as people are responding to fear around COVID-19 and are being caught with phishing scams and social engineering of all sorts.
  • Central and local government is generally very high on the list as well, for the same reasons. People need services, especially in a crisis and these organisations hold lots of data, much of it sensitive data. This combination makes for a very attractive target for cybercriminals. 

  • Professional service firms and any form of advisory service firms are always attacked by cybercriminals. Here, we're talking about accountants, lawyers, business consultants, and anybody of that nature. They generally will have attractive data for a cyber-criminal to steal. Business services firms have all the same issues. 

  • ICT and Telecoms businesses are high on the list. There's an irony here because we often look to IT firms to protect us and provide advice. The sad thing is that in fact, those firms are themselves targets for cybercriminals. And so, the very people we rely on for our own security can be targets and can be a weakness in facilitating the cyber-attack on our businesses.  
  • Charities and not-for-profits have always been attacked by cyber criminals because they tend to have a less professional organisation structure, have a lot of volunteers involved, and may not be as well protected from cybercriminals.  

  • Educational firms, universities, and all other providers of education have been hit, particularly in recent times, related to COVID-19. Universities are seen as attractive targets because they carry out educational research, they hold grant data, and lots of nice, attractive data for a cybercriminal to steal. This is in addition to all of the student records held. 
  • Construction - you might think this would be a low target - but actually, lots and lots of construction firms have been hit by cybercriminals.  

  • Utility Businesses are an obvious risk for a cyber attack. The entire Ukrainian grid was taken down allegedly by Russian hackers some years ago – in the years before the current war in Ukraine. 
  • In recent years, cyber incidents against transport companies would include British Airways and other airlines that have suffered large-scale data breaches.

  • Hospitality and recreation - again, due to COVID-19, hotels and hotel groups have been hit. The Marriott hotel chain, for example, was a victim of a large-scale data breach. Unfortunately, there have been lots of hacks and lots of big data breaches in hospitality.

  • And finally, the retail and wholesale sector - retail companies tend to have huge databases of people and lots of credit card information. This is very attractive from the cyber hackers’ point of view.

So that's a quick run through the sectors that are most often attacked by cybercriminals.

The General Data Protection Regulation (GDPR) and Cybersecurity

Article 32 of the General Data Protection Regulation deals with cybersecurity insofar as it relates to the GDPR and it takes a very interesting approach. “Individuals, data controllers and data processors should implement appropriate technical and organizational measures to ensure a level of security appropriate to any potential risk”. 

Now, this wording is very carefully chosen, and the implications are broad. It requires that the data controllers and data processors implement appropriate technical and organizational measures but doesn't define what they are. However, the measures must be sufficient to ensure a level of security that's appropriate to potential risks.

So, the onus is on the data controllers and data processors to figure out what technical and organizational measures are appropriate to the risks that they incur. And of course, getting this wrong will involve brand damage, reputational damage, and potential fines and legal penalties for the companies involved.

GDPR has driven greater activity in the whole area of data protection legislation, with 315 fines in 2020 alone. 128 countries now have data protection and privacy legislation in place, probably spurred on by developments like GDPR. 154 countries have cybercrime legislation according to UN data.

A shifting focus for GDPR actions 

There has been an interesting change with regard to the focus of legal actions around GDPR. Whereas previously, data breaches were the focus, now civil liability actions are coming to the fore throughout Europe. And in Ireland, where I am based, cases are growing also. All of these cases are alleging the failure to have “appropriate technical and organizational measures to ensure a level of security appropriate to the potential risk”. This is the wording that we saw earlier in the GDPR.

So people are taking action alleging that the cybersecurity was inadequate, essentially. The big unknown with these actions is what's known as “non-material loss”. This type of loss does not require quantification of a financial loss. Data protection commissioners throughout Europe are looking to take more enforcement actions around article 32. So, GDPR  is giving rise to an increased risk profile.

Some Surprising Findings

Earlier in this article, I said that I was going to share some surprising findings from the 2022 Hiscox Cyber Readiness report that you'd want to hear.

  • Finding number one is that the top two types of attack were IT resource misuse, at 32%, and payment diversion fraud, at 31%. Both of these seemed to represent more of a threat than ransomware at 19%. The survey makes the point that these two attack types- the misuse of IT resources and all forms of payment diversion fraud - needed to be addressed.
  • A second finding from the survey was that the top three most common methods of entry to a target company were through cloud servers at 41%, through business email, an equally high 40%, and through corporate servers at 37%. This is an interesting finding because the cybercriminals changed their method of attack to cloud servers as they saw the target companies move to the cloud, spurred on by the COVID-19 pandemic.

  • And finding number three was that the average number of attacks rose for most business sizes, as the hackers devoted more attention to mid-sized and small-sized businesses. Examples of this were the group of businesses with 250 to 1000 employees, where the average number of attacks rose to 69. In the group 10 to 49 employees, the average rose to 56 attacks. And even for the micro companies with less than 10 employees, the average number of attacks rose to 40. We can clearly see that cybercriminals are adapting their tactics to the environment that they find and increasingly attacking smaller companies.

Conclusions

I'll end the article today with some final questions that might give you pause for thought taking into account what you've learned in this article:

  1. What's your business exposure to the sources of risk that I've outlined?
  2. What’s your business exposure to the types of cyber incidents outlined?
  3. What's the sector exposure inherent to your type of business?
  4. Are you really GDPR compliant, considering the cybersecurity requirements of GDPR?
  5. Should your business now be concerned about cyber risk?

Thanks so much for reading today's article. I hope you found it useful to know the online risks that all small businesses must understand.

Now, before you go, I want to give you access to my free cyber resilience video workshop, “How small business owners can create their first cyber resilience plan in less than 30 days”. It's full of practical tips that you can implement. You should use the link pages.survivingcyber.com/workshop to get access now.

I hope to see you again soon for article three in the series, where we ask: “Cyber-attack: is your small business ready?”