UK’s SMEs Told ‘Adapt to Digital Economy or Pay the Price’ through Cybercrime
In the 12-month period up to the end of June 2016, the Office for National Statistics estimates that there were almost 6 million instances of online fraud cybercrime in the UK. It’s one of the fastest-growing areas of crime, and the government has unveiled a £1.9 billion programme to protect the UK from cybercriminals until 2020.
With many commentators focusing on high-profile, state-sponsored cyber-attacks, it remains to be seen how this latest investment will affect the UK’s SME community.
Tony Richardson, Managing Director of cyber-security experts Octree, will be speaking at the UK200Group Annual Conference on Friday 18 November. Speaking about the government’s new programme, he said, “Will it be a success? That depends on where the money is spent. One of the problems, for example, in the police force, is a lack of skilled people, and I think that training and awareness should be top of the government’s agenda.
“In the long term, this is about education: trying to encourage youngsters to take on ICT-type courses and then move into cyber-security in further and higher education. One of the fundamental problems is that there are fewer people studying ICT at school than there were 20 years ago.
“If the government are just going to throw money at countermeasures, it’s a futile exercise. We’ve got to look at things from an education basis, from a secondary school level.
“For businesses, security training has to be moved up the agenda. It is social engineering that leads to problems as far as ransomware is concerned, because the delivery mechanism will always be an email being delivered or a website being visited. Therefore, people need to be educated not to click on links or open attachments, and to be prepared to question suspect emails and, if necessary, escalate them.
“Ultimately, business directors are going to be liable, so I’m sure they’ll be keen to get that message across.”
Tony Richardson, a veteran of the IT industry with 28 years of experience, guides us through two of the most common – and dangerous – types of cyber-attack:
“I became involved with a financial services firm after a ransomware infection, called CryptoWall, had completely compromised their systems, locking them out. This was due to their incumbent IT firm not ensuring that basic anti-malware was installed on their computers. They didn’t have a backup and their files were completely locked, so their choice was to pay a significant ransom or attempt to rebuild their data and database from paper records.
“They chose to rebuild their database, which I suspect will have been extremely costly and time-consuming. It’s not unusual for small businesses to be in a situation in which they are unaware that they are unprotected, one of the fundamental problems being that a lot of small businesses do not think that they are vulnerable to these types of attack.
“The second dangerous fraud we’ve seen recently is a whaling attack, or CEO fraud, in which an email is sent, purportedly, from the CEO or Finance Director of the company, generally to the finance department staff, asking them to make urgent money transfers otherwise risk losing some business. The email proves to be fake and the money is lost.
“It’s the social engineering element that is the biggest threat vector for businesses. We’re all part of that altruistic society, we want to help out and provide information and this is the thing that is being exploited. The fundamental problem is that people just aren’t aware of the risks.
“SMEs need to become more aware of the dangers of cybercrime and the options that they have available to them. There’s a perception that cybersecurity counter-measures are incredibly expensive, and therefore it’s better just to ignore the danger, put the head in the sand and hope not to be affected by cybercrime.
“There are ways to ensure that you and your business are taking appropriate measures without breaking the bank.”
HMRC is in the process of ‘Making Tax Digital’, which means that by 2020 all businesses, self-employed people and landlords earning over £10,000 per annum will manage their tax affairs through a digital, online account, and will be required to update HMRC at least quarterly.
Taxpayers will be expected to use software accounting systems to record day-to-day transactions, categorise them into different types of income and feed back to HMRC. However, Tony Richardson sees this as an opportunity to tighten cybersecurity measures:
“I’m a great believer in cloud computing improving security for SMEs, because cybersecurity becomes the responsibility of the software provider, which is in a better position to address those.
“Review any service-level agreements and security certifications. Bear in mind that a small business will have very little influence on negotiation on a large Software as a Service (SaaS) provider, but if you imagine how damaging a successful cyber-attack would be to a large SaaS provider, that offers some reassurance that they will be ensuring their systems are up-to-date.”
Tony Richardson will be speaking at the UK200Group Annual Conference, held at the Ageas Bowl, Southampton, S030 3XH from 16 to 18 November 2016. The UK200Group is the UK’s leading membership association of quality-assured chartered accountancy and law firms, representing the interests of 150,000 SMEs through its members.