Policy Monitor

Is your organisation small enough to be ignored by cyber criminals?

With research showing that British businesses faced the equivalent of one attempted cyberattack every 43 seconds in late summer 2023, Nick Denning, CEO of Policy Monitor, looks at whether any organisation is small enough to be ignored by cyber criminals.

A record number of cyberattacks

Beaming, the ISP which provides voice and data solutions, publishes a Cyber Threat Analysis each quarter. Beaming’s Q3 2023 report states that in late summer, British businesses experienced a new record number of cyberattacks. On average, each company with an internet connection experienced the equivalent of one attack every 43 seconds. The major source of these attacks can be traced back to IP addresses in China. Other countries identified as the source of many attacks were India, USA, Russia, Vietnam and Brazil.

Is your organisation at risk? Surely cyber criminals are more interested in large organisations where the potential gains are high? Well, yes… and no! The Beaming research takes in all companies with an internet connection, so it includes the vast majority of businesses from the smallest to the largest.

It is true that the rewards from attacking a large organisation can run to millions but often such businesses have the best protection and the most cyber aware employees. Smaller organisations can provide easier pickings and potentially open the door to attack larger businesses which are their customers.

Targeted vs. untargeted cyber attacks

The UK’s National Cyber Security Centre (NCSC) divides attacks into targeted and untargeted categories. In a targeted attack, an organisation is singled out because the criminal has a specific interest in the business or has been paid to target the organisation. The preparation for a targeted attack could take months as the cyber criminals probe vulnerabilities to find the best route into the organisation and techniques can be tailored and combined to give the best chance of success.

In untargeted attacks, criminals are indiscriminate with their attempts, hitting as many devices, services, organisations or users as possible hoping to just get lucky somewhere. The wider the attack then the greater the likelihood of finding and exploiting a vulnerability. A popular untargeted technique is phishing which involves sending emails to large numbers of people. The emails might ask for sensitive information such as passwords or bank details, or encourage the readers to visit fake websites or click links which will install malicious code.

Using small businesses to attack larger organisations

In today’s decentralised IT environments which utilise embedded open source code, integrate third party applications, use external hosting or connect in third party suppliers, larger organisations have opened themselves up to additional cyber vulnerabilities. Several high profile cyber incidents in 2023 have involved large organisations but have been caused by attacks on their much smaller suppliers.

In 2023 Greater Manchester Police Force (GMP) fell victim to a ransomware hack. The data breach which potentially exposed details of officers’ name badges such as ranks, photos and serial numbers, was actually at a Stockport-based supplier to the police, which provides identity cards and lanyards. The supplier had less than 100 employees.

Help for the smallest organisations

Even the smallest businesses, sole traders and self-employed can experience cyberattacks. These will often be untargeted. The UK’s Federation of Small Businesses (FSB) notes phishing attacks were the most common type of cyberattack experienced by UK businesses, representing 83% of all incidents.

The NCSC provides a range of guides specifically addressing the issues faced by this audience. They suggest a 5-step plan:

  • Step 1 – Backing up your data
  • Step 2 – Protecting your organisation from malware
  • Step 3 – Keeping your smartphones (and tablets) safe
  • Step 4 – Using passwords to protect your data
  • Step 5 – Avoiding phishing attacks

Even the smallest organisations are at risk from cyber criminals. You might be unlucky and an untargeted attack may expose a vulnerability in your business which bad actors will be quick to exploit. Alternatively, your organisation may be utilised by criminals in a more targeted and sophisticated attack on a larger company. Driven by incoming legislation,  larger operations may start to take a greater interest in the cyber security policies and precautions of even their smallest suppliers. To win and retain business cyber readiness is likely to become a competitive differentiator and essential to survival.