Days of Cyber: What’s an SME to do? (Threat Landscape)
This will be the first in a series of blog posts exploring the world of cyber security, with a specific view on how it applies to SMEs; and what they can do to survive in a complex world of threat actors, zero-day exploits, and a plethora of solutions and service providers. The aim is to demystify some of the concepts, and promote robust strategies for mitigating this growing risk for all types of businesses.
We start by looking at the threat landscape — because knowing what services or software to buy depends on understanding who the attackers really are, and which ones you need to protect yourself from.
Not all attackers are created equal, they have different skills and different motivations. It helps to categorise them, and for this overview we’ll break them down into the following groups: organised crime, nation states, hacktivist or bedroom-hackers, extortionists, scammers, and insiders! So let’s take a look at each one, and consider the threat they pose to an SME.
Organised crime — While a slight threat for the SME, professional criminal gangs have largely targeted big international finance firms where their advanced skills have reportedly managed to net them sums as high as $1bn. For now SMEs are likely to remain under the radar for these groups, however as bigger companies shore up their defences, the threat may trickle down. Definitely one to watch out for in the future, but not currently a major concern.
The nation state — Although we know that nation states are involved in cyber activity, we won’t talk about them for long, for one reason. If they want to get you, they’ll get you. If it isn’t through advanced exploitation techniques, it will be by expert confidence trickery. Most SMEs are unlikely to be worried about this. But if you are in the rare position of being an SME with assets of interest to another country’s government, you may want to get in touch with CESG to talk about your options.
The hacktivist, or bedroom-based hacker: In some ways, the SMEs biggest threat. SMEs are highly likely to become unlucky and get targeted by someone who happens across them and decides they might be a softer target than the previous one, while still providing some small financial or repetitional reward; or may just serve as good target practice. These guys generally have low skills, so good cyber hygiene like regular patching, secure coding practices and continuous security monitoring services can protect you here.
The extortionists — Cyber extortion has really taken off in the last couple of years, through either flooding websites with traffic until they go offline (known as DoS attacks), or by breaking in and scrambling your data until you pay to get it back. Victims have included everything from bitcoin exchanges, e-commerce websites, recruitment agencies, and anyone else who relies heavily on their online presence to make money. These groups are also on the lower-skilled end though, and look for easy targets and quick wins. Regular backups and DoS mitigation services can help here, while those who are unlucky enough to become victims are advised not to pay up if possible, as this simply encourages the attacker to extort more, and doesn’t guarantee that the attack will stop, or the data will be returned.
The scammers — A huge current trend, the amount of money that has been stolen by simple cyber scamming is staggering. The typical example is an email designed to look like it’s from the CEO, demanding a money transfer to some foreign bank account. The answer here is simply education, no technology can protect you from a scam, as the fundamental weakness is human trust.
The Insider — In some ways, it’s easier for SMEs to mitigate the insider threat than it is for large corporates. If your team is relatively small, you simply stand less chance of having recruited a bad egg. Conversely though, people in SMEs generally need access to a lot of the company’s information as roles are shared and everyone mucks in to get things done. The single most effective technique to counter the insider threat is to make sure you know what is important to your company, and ensure that you grant access to only who needs it, whether it’s access to sensitive information, or the power to shut down important systems.
Hopefully you should now have a good overview of what threats you might need to worry about, and some ideas for strategies to cope with them. In future blog posts we’ll explore in more detail some of the strategies outlined here, as well as the pros and cons of specific solutions.
Until then, stay safe.