Cyber criminals are increasingly targeting vulnerable and less protected SMEs, as larger corporations get much needed information security policies in place.
The Garda Bureau of Fraud investigation is currently examining a number of recent cyber attacks on computer systems of small businesses and subsequent demands for money. The companies say their computer systems were hacked, their data such as order books and customer data had been encrypted and their businesses paralysed. There was a note left on their computers demanding money – in one case $700 for the code to unlock the information.
Colm Murphy, technical director with Espion, Ireland’s leading computer forensics and information security company, believes that this trend has the potential to hurt Irish SMEs very quickly. “Cyber crime is a global issue, growing at an alarming rate. As large corporations have begun to put in place real and tangible security barriers, cybercriminals are looking at SMEs – the pickings may not be as rich, but the number of targets is greater, and the level of security in place is far lower. Irish SMEs need to act quickly or the next spate of cyber crime will hit less them, potentially damaging consequences.”
The most recent cybercrime findings from the Irish Cybercrime Survey (conducted jointly by the ISSA’s Irish chapter and University College Dublin’s Centre for Cybercrime Investigation) reported that one in four Irish organisations had been victims of external hacking attempts. Aside from the sheer volume of incidents reported, attacks had directly impacted the productivity of 79% of these companies – indicating the damage that cybercrime can cause to operations and ultimately the balance sheets of the companies involved. One of the most alarming findings was the lack of appropriate technologies used to protect companies against known forms of attack.
“While SMEs do not have the same resources available to them as larger organisations,” says Murphy “there are some basics measures that will provide a front line of defence against the casual cyber criminal.”
Defending against Cybercrime
Individuals as well as businesses need to take a proactive stance to protect themselves and their interests from the increasing threat of Cybercrime. There are a number of basic elements to help defend users from cyber criminals:
User Awareness – Everyone should be aware of the types of scams around and what to do in the event of being targeted. Security awareness training details the relevance of security at all levels within an organisation and is proven to help safeguard systems.
Implementing a Security Framework/Security Standards – This starts with understanding the value of information to the business and the implications of a temporary or permanent loss. By understanding the criticality of information assets the processes needed to manage confidentiality, integrity and availability of data whether in storage, while being processed or in transit can be created.
Incident Response – There should be systems in place that continually inspect all aspects of the network, triggering the appropriate alarm when malicious code or any similar anomalies/activities are detected. Who needs to be notified, what actions need to be taken, what escalation paths are in place etc…
Continuous vigilance – Cybercriminals work relentlessly to develop methods to circumvent security measures. Companies should reassess their security stance regularly, looking at data and networks to ensure that the relevant processes and technologies are in place to protect it in the event of an attack. Ongoing security awareness training should also be adopted as standard practice. In an ideal world, this should be enough, in the event of a breach; companies should be able to take pre-defined steps to minimize the impact of the attack.