[BreachExchange] Cybercrime is biggest threat to SMEs ‘by far’, says Federation of Small Business policy chief

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 8 19:10:02 EDT 2017


The UK's definition of an SME - a small to medium enterprise - is any
business with up to 250 employees, but no upper floor on the financial
threshold. Speaking at the Counter Terrorism Expo in London's Olympia
today, the Federation of Small Business' Home Office and MoJ Policy Unit
Chair Richard Parlour laid out just why cyber security is so critical for
the sector.

According to Parlour, there are 5.8 million businesses in the UK and a
staggering 99 percent of them count as SMEs. The FSB's job as a lobby group
is, he says, to protect businesses, save them money, and also help them

But recent figures show that 80 percent of SMEs hit by major cyber
incidents don't live longer than two years after the fact - and although
there's growing awareness about the importance of cyber security, many SMEs
might still not be taking it into consideration.

"We cover business crime, and of the business crimes, cyber crime is our
biggest issue and growing," Parlour said. "There's an awful lot of
different threats out there, but the biggest one out there by far is
cybercrime for us at the moment."

The FSB is trying to explain to its members that the risk they face from
cybercrime is multifaceted - from hacktivism, criminal fraud, and "to a
growing extent, corporate espionage."

Figures from Allianz's annual business risk report point to enormous growth
in cyber crime as a threat, leaping from number five in the last report to
third place this year. Security breaches are up, and the cost and scale of
them has doubled over the last year.

Parlour said that in 2016, 71 percent of SMEs suffered some kind of
security breach, and these come with potentially disastrous knock-on
effects in addition to the initial damage: problems with supplier
relationships, contract losses, or staff spending their time firefighting
rather than focusing on business growth.

"Our survey we ran last year was a bit disturbing," Parlour said. "First of
all, two thirds of SMEs thought they were not open to cyber attack, and
only one in seven had improving cyber security as a top priority."

There was a lack of awareness for smaller companies who did not realise
they were just as likely to be a target as the headline-grabbing breaches
that hit TalkTalk and Yahoo.

"There's a growing awareness these people are part of a bigger supply chain
and they can be the weaker link on the way in," Parlour explained.
"Awareness is increasing, but it's quite slow at the moment. And of course
a lot of the advice you'll see on various websites is things like: if
you're subject to attack, have a look at your cyber controls. And people
will say: 'Thank you very much, now what will I do with that? So there
needs to be detailed, simple, practical steps which SMEs can take."

There are some motivations in key areas for SMEs to take action on getting
their security in order, notably in winning government contracts - for
example they're unlikely to get far if they haven't got the Cyber
Essentials programme in place.

"This is useful but it only goes so far - not a lot of SMEs are bidding for
government contracts," Parlour said. "And there is a voucher scheme you can
apply for up to £5,000-worth of assistance, but when you look at the
details it's a bit disappointing. You can only spend it for a consultant to
come in and tell you where the holes are in your cybersecurity, you can't
use your own advisor, you have to use somebody from a government list.

"You can't spend the money on hardware to improve your systems, you can't
spend it on software - so you think, what is this apart for jobs from a few
government-approved cybersecurity consultants? We've made those points to
government and hope to get those changed."

For its part, the FSB has put forward 47 policy recommendations to the
National Cyber Security Centre (NCSC), and has also been involved in
meetings with DCMS. It's encouraging members to get closer to the Cyber
Essentials programme, and is also working with Her Majesty's Inspectors of
Constabulary (HMIC) - a policing group that's currently working on drafting
cyber policing standards for the UK.

"We're trying to make sure that gets implemented by putting a lot of
political pressure on our police and crime commissioners, and others, to
get that registered," he said.

Parlour believes that there won't be new laws incoming to specifically deal
with cybercrime, except around incoming data security standards such as

"You might have thought there would be quite a few new laws because cyber
is developing very quickly, but there won't be any is the message," he
said. "That means there's less to implement. There's not going to be an
update of the Computer Misuse Act - a committee I was a member of about 25
years ago looked at the database of English criminal law, and tried to work
out if we needed new offences in relation to cyber crime."

In short, there are already existing laws in place to deal with crimes
online - they just don't specify that the crimes are online but can be
applied to cyber.

The FSB is also arguing against fines for data breaches. According to
Parlour, the group believes that the money that comes from fines would go
to better use if it was required to upgrade their systems instead.

"In certain other parts of the UK economy that works quite well," he said,
pointing to procedures in the financial sector. "There's no point fining
people because then they've got less money to sort themselves out," he
said. "Apart from filling up a bit more into government coffers, it doesn't
do much to help."

He closed by saying Britain's approach to fighting cyber crime needs to
look like an 'integrated air defence system' designed to shoot down planes.

"What we wanted to say is: 'why don't we have an integrated cyber defence
system?" he asked. This might look like a combination of active UK-wide
protection but also more encouragement for ISPs to filter out risks, or
placing more of the onus on large companies to collaborate to prevent
attacks. He said it could also include more stringent standards for baking
security into software and hardware from the get-go.

"We've seen an awful lot of operating systems and software go out onto the
market with absolutely no security and you get patch after patch and update
after update," he said. "Not just a few, but every time you load it up
there's thousands. If you did this in the car industry most of us would be
dead because most of the cars would not be fit for purpose.

"Why don't we have a similar standard for releasing software and hardware?
Why is it that software and app providers either don't build in security,
or if they do build it in, the default setting is off?"

The FSB is currently in the process of updating its key security tips for
SMEs, and it's led by an understanding of assessing where your most
important data lies.

SMEs should work to understand what could happen to their data, and how to
protect it. They should, Parlour said, work closely with IT suppliers,
clear their policies and guidance for data privacy and BYOD, and follow the
Cyber Essentials programme. SMEs should also bring in regular staff
training every six months, regular back-up, off-site test recovery and
insurance, introduce two-factor authentication for cloud services - and
review all of the security procedures every six months.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170508/8d4722b9/attachment.html>

More information about the BreachExchange mailing list