‘We don’t have to worry about cyberattacks….’

Over the last few months, any number of business executives have taken the view that – in spite of the spate of headline-grabbing hacker attacks against organisations around the world on an almost daily basis. Here are three very recent stories about small businesses whose cyber defences were inadequate:

The first is about a Bitcoin brokerage, Bitinstant, which was apparently hit by a social engineering attack by which the attacker took over the company’s DNS servers and removed $12k+ of Bitcoins. One would have thought that any Internet company would be aware of the dangers of the cyber world in which it operates, but apparently not. This attack brings up to date that old explanation as to why one should rob banks – it’s where the money is.

The second story is about a Dubai businessman who was stalked by a hacker who intercepted and altered emailed invoices from UK suppliers, substituting their own bank details for the real ones. The Dubai businessman wired payments, worth around £65k in total – but, of course, he then didn’t receive what he thought he was purchasing.

Finally, there is a report in the St. Charles Herald-Guide which describes how payment card details of 195 local people were stolen from a local pizza store……and used them for a variety of crimes and attempted crimes, including identity theft and payment card fraud.

What each of these stories have in common is that none of the successfully hacked organisations is a headline name, and that all the thefts were small scale.  Each of these stories – and there are many more just like these every day – is a cogent example of why no organisation of any size can afford to ignore the need for proper cyber defences, including regular training for staff and management on what to look for in what may be social engineering attacks.

Regular penetration testing, for a small organisation, should cost less than £5k a year; remediation of identified vulnerabilities is usually much more straightforward than having to deal with the disruption of a successful attack. Penetration testing is something that organisations of all sizes should have carried out as a matter of course – the fact that so many larger organisations fail to take adequate precautions is no reason for smaller businesses to follow suit – arguably, larger organisations may be better able to cope with the financial impact of a successful breach than a smaller one.