Small Business in the Crosshairs of Cyber Criminals

Cyber criminals are targeting small UK businesses who are more vulnerable and less likely to have sufficient security in place.

Poor levels of employee education, limited resources and a huge increase in the volume of cyber attacks facing businesses in the UK has lead to costs associated with the attacks tripling in the past 12 months.

David Willetts, Minister for Universities and Science launched the Information Security Breaches Survey 2013 on Tuesday at the InfoSecurity Europe conference in London, and while he said the government was "learning some important lessons" in relation to the cyber security landscape, it was clear a lot more needs to be done.

Among the key findings of the survey, carried out by PwC on behalf of the Department for Business, Innovation and Skills (BIS) was that smaller companies are being specifically targeted by cyber criminals, with 87 percent of small companies (those with less than 50 employees) reporting they had come under cyber attack in the past 12 months - up from 76 percent a year ago.

As well as the number of companies being attacked increasing, the volume of cyber attacks is also increasing, with small companies getting attacked on average 17 times each over the past 12 months, up from 11 times a year ago.

Knock-on effect

The knock-on effect of this is that the cost of cleaning up after these attacks is increasing as well as preventative security costs increasing, which makes it tougher for smaller companies to survive in the current economic environment.

While many of these attacks will have been blocked, what is more worrying is that 15 percent of small companies surveyed said external attackers had successfully penetrated their systems, double the amount detected the previous year. Nine percent reported that sensitive intellectual property or confidential data had been stolen in these attacks - up from just four percent last year.

The reason cyber criminals are targeting these smaller companies is simple - security measures being implemented are simply not effective enough.

Basic security measures

Despite security budgets rising in the past 12 months, many organisations struggle to implement basic security measures. "Overall, the survey results show that companies are struggling to keep up with security threats, and so find it hard to take the right actions," PwC said in its report.

Among the areas where small businesses were shown to be particularly weak included educating employees about the risks involved, monitoring security procedures and network security.

And these shortcomings have lead to a tripling in the cost of cyber attacks on UK businesses in the past 12 months, with the cost now measured in billions of pounds.

In 2012, the UK Government issued guidance to businesses on how to protect themselves from cyber security threats called The Ten Steps. Willetts said that in order to improve the level of cyber security in place at UK companies, the government needs to continue to help businesses implement these basic procedures.

One interesting outcome from the survey was that 17 percent of small companies said one of their employees had breaches the Data Protection Act at some stage during the year, yet none reported paying any fines in the period, meaning the breaches are not being picked up by the regulatory bodies.