Most companies now use the internet to do business, to advertise and sell, find new markets, customers and staff, communicate with customers and suppliers, and carry out financial transactions. The internet brings huge business opportunities and benefits. But it also brings risks. Every day there are attacks on the IT systems of UK companies like yours, attempting to steal your information and money, or disrupt your business.

Cyber crooks target businesses mainly for financial gain, either directly through ransomware or indirectly by stealing company IP or customer data to sell. Here are some of the most common attacks: 

• Phishing - Hackers use phishing scams to entice victims to part with personal data. This usually comes via a link presented in an email, SMS or instant message. 
   
• SQL injection - An SQL injection happens when a cybercriminal embeds harmful code into a webpage or application to access data. 
   
• Malware - Malware is malicious software designed to cause harm to a targeted computer or server. Viruses and worms are malware, as is ransomware, which is often launched as part of a phishing attack.
   
• Denial-of-Service attacks - A denial-of-service cyberattack is performed by hackers to halt the operation of an online service and might be carried out by inundating a system with requests or traffic, rendering it unusable.
    
• Man-in-the-Middle attacks - During a man-in-the-middle cyberattack, a cybercriminal will intercept conversations, transactions and the transfer of data between the victim and a service they’re trying to use. 

If you have never been the victim of cybercrime, it’s hard to picture your business as a target. The news tends to focus on big companies, such as BA or TalkTalk - as the targets, with millions of credit card details or customer data records stolen. If your company doesn’t hold that sort of data, why would you be a target?

The truth is that small and mid-sized businesses are easy scores for cybercriminals and the volume of attacks is increasing. Any successful business, irrespective of size, is vulnerable to attacks such as ransomware – would your company pay out £20,000 to get all your IP and customer data back, or survive losing all that information and the fines that follow? Using off the shelf applications, costing a few hundred pounds, these cyber crooks are not looking for big targets, they are looking for lots of small pay outs and any business that makes money is a target.

Sadly, the UK statistics paint a clear picture:

• Up to 88% of UK companies have suffered breaches in the last 12 months
   
• One small business in the UK is successfully hacked every 19 seconds, around 65,000 attempts to hack small- to medium-sized businesses (SMBs) occur in the UK every day, around 4,500 of which are successful. That equates to around 1.6 million of the 5.7 million SMBs in the UK per year.
   
• 37% of UK companies have reported a data breach incident to the Information Commissioner’s Office (ICO) in the past 12 months. 17% had reported more than one incident.
   
• Data breaches cost UK enterprises an average of £2.95 million per breach
   
• 33% of UK organizations say they lost customers after a data breach
   
• 44% of UK consumers claim they will stop spending with a business temporarily after a security breach, and 41% claim they will never return to a business post-breach
   
• 48% of UK organisations hit by ransomware in the last year
   
• The average remediation cost of a successful ransomware attack to UK enterprises is £638,000 
   
• One in every 3,722 emails in the UK is a phishing attempt 
   
• Around half of cyberattacks in the UK involve phishing 
   
• Twenty-two percent of UK organizations do not provide their employees with regular security awareness training for email. 

You can never be totally safe, but most online attacks can be prevented or detected with good security practices for your people, processes and technology. These security practices are as important as locking your doors or putting cash in a safe. You can manage your online security in the same way you would protect any other aspect of your business. With more customers demanding that their suppliers are secure, this is becoming a business necessity.

You don’t need to be an IT expert to improve your security. Simple measures can make all the difference. You can save money through adopting an efficient risk management approach - plan, implement and review. You can gain a competitive advantage by being seen to take security seriously – gaining the Cyber Essentials badge will help you do this. Good security can be an enabler for a thriving business: you will be protecting your assets, your reputation, your customers, and your peace of mind. badge will help you do this. Good security can be an enabler for a thriving business: you will be protecting your assets, your reputation, your customers, and your peace of mind.

What is directly at risk?

Your money, your information, your reputation, your IT equipment and your IT based services. Information is an asset that can take many forms: client lists, customer databases, your financial details, your customers’ financial details, deals you are making or considering, your pricing information, product designs or manufacturing processes. There is a risk to your IT services and information wherever they are stored, whether held on your own systems and devices, or on third-party hosted systems (i.e. ‘in the cloud’).

What could pose a threat to these assets?

• Current or former employees, or people you do business with. Compromising your information by accident, through negligence, or with malicious intent.
   
• Criminals. Out to steal from you, compromise your valuable information or disrupt your business because they don’t like what you do.
   
• Business competitors. Wanting to gain an economic advantage.

For an in-depth look at the different personas that pose a threat to your business, download our Little Book of Breaches.

What form could the threat take?

• Theft or unauthorised access of computers, laptops, tablets, mobiles.
   
• Remote attacks on your IT systems or website.
   
• Attacks on information held in third party systems e.g. your hosted services or company bank account.
   
• Gaining access to information through your staff.  

Take a look at our EDR demo to see how an attack can happen and how to defeat it.

What impact could an attack have?

• Financial losses from theft of information, financial and bank details, or money. The average cost of a significant security breach is between £65,000 and £115,000.
   
• Financial losses from disruption to trading and doing business – especially if you are dependent on doing business online. The most severe breaches can result in a business being put of action for up to ten days.
   
• Losing business from bad publicity, damage to your reputation and customer base.
   
• Costs from cleaning up affected systems and getting them up and running. 
   
• Costs of fines if personal data is lost or compromised.
   
• Damage to other companies that you supply or are connected to. 

Click here to see our GDPR Fine Tracker.

Planning

1. What information assets are critical to your business?
    
2. What kinds of risk could they be exposed to?
    
3. What legal and compliance requirements is your business subject to?
    
4. How could you continue to do business if you were attacked?
    
5. How can you manage these risks on an ongoing basis?

Reviewing

1. Are you reviewing and testing the effectiveness of your controls? Consider annual or quarterly Penetration Testing.
    
2. Are you monitoring and acting on the information you receive from them? 
    
3. Do you know what the latest threats are? Our Vulnerability Service gives you all the latest threat information.

Implementing

1. Have you put in place the right security controls to protect your equipment, information, IT system and outsourced IT services?
   Many companies rely on the expertise of Cyber Security as a Service (CSaaS) companies like norm.
    
2. Do your staff know what their responsibilities are? Do they know what good practice looks like?
   Effective Cyber Safety training is essential.
    
3. If you are attacked or something goes wrong, how will you deal with it and get back to business? Who will you turn to for help?
   Call the experts, our Cyber Security Incident Response Team are your best bet in the event of a breach