It’s no wonder that most SME’s don’t think cyber-attacks apply to them when the headlines seem to only feature the big guys, and with the average cost of cyber-attacks doubling to £1.46m last year – these figures are often not something a SME could even envisage earning!
Unfortunately, the desensitising effect these million pound figures have on our collective psyche hides the truth. Every business is at risk of cyber-attack.
Breaking down the cost
According to a study by Kaspersky Lab and B2B International, the amount of financial loss suffered by small and medium businesses as a result of cyber-attacks continues to grow.
In 2015 the average impact of a single cyber-attack topped £25,000!
What’s most interesting about their study however is how these costs break down for SME’s; as it turns out the impact on SME’s is quite different to that on big businesses. Whereas big businesses suffer an average cost of over £135,000 in brand damage alone, to a SME this number could be as little as £5,500. The real impact on the SME is in the actual loss of functionality in their systems, the combined downtime and the professional services needed in order to recover to normal operations.
What threats cost SME’s the most?
Again there seems to be a curious difference between big businesses and SME’s when it comes to cyber threats. If you consider the top-three costliest types of incidents, you’ll see a marked difference:
The important thing to notice in this data is that while big-business threats tend to be more focused on things best controlled by commercial agreements, insurance and HR; SME threats are decidedly more targeted and technical. It’s the SME’s who are being targeted specifically for direct financial gain.
This ties in with the huge reputational risk faced by big business; it’s far more important for a big business to protect themselves from third parties and disgruntled staff who would harm them for the sake of their reputation, it’s much less likely anyone would try to hold them to ransom.
SME’s on the other hand face targeted attacks of a different sort, people looking to steal data and disrupt the operation of their business for direct financial gain. It’s safe to say that when TalkTalk was hacked or when Wetherspoon’s lost their customers records that it was not a direct competitor or someone looking to take money from them. Sure the records they stole may have been put up for sale somewhere and the attackers may look to turn a profit from their actions, but it still amounts to an attack that has more in common with ‘hacktivism’ than with a break-in.
Distributed Denial of Service is evolving
In 2014 a study concluded that the average cost to an SME for a DDoS attack was upwards of £35,000. More in-fact than many other types of cyber incidents! The breakdown of the typical costs showed that much as with other cyber incidents it’s a range of items including the hiring of third-party experts to help the business recover; the actual cost of the downtime itself, the reactive purchasing of new defences and other protection and the long-term cost of reputational damage.
The other real concern is that the prevalence of these attacks is highest amongst IT / high-tech and e-commerce businesses, two of the sectors where many SME’s operate. In these two verticals between 44 and 49% of businesses will suffer some level of DDoS attack each year. Still think your business is safe?
The remediation of these incidents often involves a business taking on a wide range of new external “expert help”. For example, 65% of companies consulted with IT security specialists, 49% of firms paid to modify their IT infrastructure, 46% of victims had to turn to their lawyers, and 41% turned to risk managers. These are only the most common expenses.
Often what is poorly understood is that DDoS attacks are incredibly hard to defend against. DDoS most often does not require the level of persistence or hacking involved in other cyber incidents. Where traditional security has the mantra “you can’t defend against the lone wolf” in cyber, it’s the crowd that you have to worry about. DDoS attacks are by their very nature almost impossible to pin down, seemingly coming from everywhere all at once. When the attacker is trying to actively extort money out of your business, there are few tools simpler than just denying you the ability to service your public (Internet) customers.
The best defence is a good offence
By this point in the article I’m sure that most readers are starting to get just a little depressed. To be sure, cyber threats have reached an entirely new level of seriousness for most UK business. The news isn’t all dire however. The problem is with the approach.
Historically dealing with cyber was all about prevention, not cure. Unfortunately, we’ve previously seen in 2015 that that approach is a guaranteed ticket to cyber-hell. All the defences in the world will not stop the attack. What do most businesses do after they’ve been attacked? Hire experts to tell them (retrospectively) what they should have done to prevent the attack, and then implement it. So great, we’re all spending a fortune building a defence to the attack that’s already happened. What we need is something to fight back, not a new line of defence.
Knowing what the risks are, knowing that being attacked is inevitable, that being breached is also nearly inevitable; firms should spend more time proactively looking for new techniques and technologies to detect and respond to the attack.
For large enterprise this often means hiring, training and building teams of dedicated incident responders or “CERTs” – Computer Emergency Readiness Teams. SME’s however would be foolish to think they can afford to have dedicated internal first responders. The answer will come from the marketplace, from the traditional IT service providers and resellers. The only reason they’re not providing more in the way of managed detection and response services is because the customers only ever ask to buy more prevention and protection.
In 2016 and beyond many more providers will be offering just this type of proactive defence from active anti-DDoS protection to security information event log management (SIEM), intelligent context-aware end-point protection and more. My recommendation? Don’t wait until you’ve been attacked to engage the experts. Get pro-active and seek advice today because 2016 may just be the year you get attacked!