SMEs increasingly hit by phishing cyber crime

By Andy Bazley, Underwriting Manager, HSB Engineering Insurance

Whilst global ransomware attacks and data breaches may make the news headlines, it’s important to remember that it’s not just large businesses and corporate enterprises that are affected by cyber-crime. For small and medium-sized businesses, increased reliance on technology to support their operations is making them vulnerable to attack. 

According to the Cyber Security Breaches Survey 2018[1], 43% of businesses experienced a cyber security attack or breach in the last 12 months. Of those who experienced an attack, 75% were the result of fraudulent emails or being directed to fraudulent websites. These statistics may seem worrying but they aren’t a surprise.

Over the last year, we have increasingly seen insurance claims made by small businesses falling foul of email phishing and social engineering scams. Global ransomware attacks like WannaCry may steal the headlines, but the truth is phishing scams are much simpler for cyber criminals to profit from. In recent research, a fifth of all SME respondents cited online fraud as one of their top cyber problems in the last three years.[2]

Ransomware attackers generally demand amounts in the hundreds of pounds while phishing and social engineering attacks can see businesses lose many thousands. What is worrying is how sophisticated and difficult scams are becoming to detect.  While it is still possible to identify a potential phishing attack by the email address used, criminals are increasingly accessing email servers and monitoring traffic for opportunities. The increased volume and detail of personal data available via social media, also means that it is becoming easier for criminals to use your own information to give more credibility to the scam.

Reducing the risks

The first thing for any business owner to understand is that a cyber-attack is more a question of when rather than if. You may not think you have anything worth stealing but cyber criminals know that they can exploit data or finances by targeting you.

Hardware and software defences are an essential part of your overall cyber security risk management plan. Making sure you install operating system updates promptly, regularly back-up data, use anti-virus software and strong passwords are basic security precautions. However, these measures may only go so far if awareness of cyber risks amongst your employees is low. Cyber criminals view employees as a vulnerable entry point; targeting individuals is a means to gain access to your systems and/or finances. Training and educating employees is therefore a simple but vital step all businesses can take to reduce the risk of attacks.

There are numerous resources available to help you. The National Cyber Security Centre 10 steps to Cyber Security, provides a solid risk management approach for businesses.  In addition, The Business Emergency Resilience Group (BERG), which is part of Business in the Community (BITC), launched the Would You Be Ready campaign, aimed at helping businesses become more cyber resilient.

Insurance also has a role to play in protecting businesses against the effects of cyber-attacks. Many cyber insurance policies, aimed at small and medium businesses, provide access to experts such as forensic IT specialists, PR agencies and legal support to assist in the period following an incident.

With more reliance on online activities, devices and connected technology to run businesses, cyber criminals will undoubtedly become more sophisticated. Being aware of the risks, ensuring security measures are in place and educating employees are all vital steps you can take to reduce the risk and the likelihood of becoming a victim of a cyber-attack

[1] Department for Digital, Culture, Media & Sport – Cyber Security Breaches Survey 2018 -[2] DAS Market Barometer: Cyber.  In conjunction with HSB.