Marc Wilczek from Link11 has some interesting insights into why small businesses may be the most vulnerable to a cyber attack.
Transcript
I’m really pleased to be joined by Marc Wilczek again, MD of Link11. Hi Marc, thanks for coming in again to talk to us about cybersecurity and cybercrime and today there’s been a recent release of the Cyber threat UK businesses that was published by the national cybersecurity Centre, I believe, and the National Crime Agency. And they talk about the Cyber threat but with a big focus on the small and medium-sized businesses, we often talk about Enterprise, but. Can you just tell me what does this report say? What is the threat landscape within smaller organisations?
Right, it’s a very interesting piece of research that was indeed just recently released and what it says in a nutshell is that small businesses still very often underestimate the risks that are involved when it comes to, you know, cybercrime and cyber threats and the report especially talks about ransomware and DDOS attacks as being the number one risk that UK businesses are facing when it comes to cybercrime.
Yeah, don’t they call it extortion ware when they group it together?
Very much an often, you know, they literally go hand in hand because you know, organisations are getting confronted with blackmailing for instance. There are bad guys trying to squeeze an organisation to pay RansomWare or these guys might launch a cyber attack.
Yeah, that’s that’s a very common pattern.
So why do you think small and medium-sized businesses are such vulnerable targets?
Right, well from a standpoint of the bad guy some of them simply believe they unlike the Enterprise World these small businesses haven’t really put emergency plans in place. They’re not having enough capabilities tools and systems in place to mitigate these attacks. They’re perhaps more likely to pay random ware, that makes them interesting Target for some of these criminals. And on the other hand businesses, small businesses sometimes, they think that security is expensive. It’s a nice to have kind of gimmick. They’re underestimating the risks that are involved when it comes to the digital world and that makes it a perfect hunting ground basically for cybercriminals, unfortunately. So they might think that putting in decent security is too expensive. Why would a criminal come after me? I’m just a small Target, I’m not worth much to them all of these things. But in actual fact, this Market is incredibly lucrative for cybercriminals. Indeed and it’s a very flourishing business and fortunately we’ve seen that time and time again that organisations are just not prepared to deal with these threats. And just to share an interesting perhaps statistic with you roughly one-third of all cyber attacks are targeted at organisations with less than 250 employees. So roughly one-third of attacks are basically focused upon small and midsize businesses. And the impact of them can be can be quite massive.
So are cybercriminals just doing more, for lower value? So they’re attacking more businesses, but they’re asking for less?
That’s indeed right, and it’s more, you know transaction-oriented but it’s a mass business its massive volume that they’re basically chasing and it’s a very lucrative ecosystem for them. So now in terms of impact just to make it clear if you’re a smaller business and okay, you get attacked or held Ransom and you asked for a relatively small amount considering the sums that are asked from Enterprises, but proportionally that can have a massive impact on a business. And then it’s not just the financial aspect.
It’s how do you clean your systems? How do you get back up and running after an attack? Yeah, that’s right. Perhaps a couple of things in this regard one is, Imagine for instance a wine shop or somebody who’s operating in the e-commerce space and all they do is promoting goods online. So guess what the impact might be if they’re under attack if the website is offline for a couple of hours or a couple of days now, it’s going to be devastating for that small little business because they’re entirely depending on their digital revenues. And at the same time what’s also often underestimated is the pain in the aftermath of that event or that attack because it might take an organisation literally is days to restore the systems if not weeks and sometimes these small businesses that might not have backups ready. They’re just not prepared to restore the system. So everything, you know, putting everything together it can have you know devastating consequences because it just takes forever to get the systems up and running again.
Yeah, it’s probably not considered often enough but consequential loss, not just the actual loss due to the ransomware or the demand that the cybercriminal might be making. So I mean where is all this coming from? I’ve heard terms lately about cybercrime as a service. Is that true?
Unfortunately, it is, so the underground economy is growing very fundamentally. And as a matter of fact, there are websites available on the dark-net that offer cybercrime as a service. So people could for instance order a Cyber attack they could order a DDOS attack for just a couple of Euros or US dollars for no money. Basically, which makes it extremely appealing for bad guys just to launch an attack very easily and whether it’s going to be, you know, ex-employees what that’s going to be one of the competitors next door. Cybercrime has just become so easily consumable thanks to the dark-net. Thanks to cryptocurrencies, which is a real problem at this point in time.
It’s quite amazing to consider that most well traditionally. I would have thought it’s organised crime and I’m guessing it probably is still organised crime behind a lot of these services. But they’re essentially Outsourcing their capabilities to anybody who can find it.
That’s right. Yeah. It’s a real fundamental problem and as I’ve mentioned before, you know, the world is going digital so does crime, and obviously, it’s a very lucrative, you know playground and hunting ground for you know, the bad guys out there.
It’s as easy as going to a popular shopping site and ordering something online.
Yes, I think you know one fair point is that the lines between legitimate e-commerce and elicits trading is basically blurring. So it’s becoming more or less one of the same and you can see common patterns in terms of, you know, even criminal sites offering reviews for their consumers. Some of them they provide hotline support, it’s ridiculous, but that’s what’s happening out there.
So what can small and medium-sized businesses do? I mean we probably scared them enough but, particularly you at Link11. What type of services are you developing to help small businesses deal with this threat?
Right, so we do provide a bunch of different services that make sure that you know businesses stay safe. Regarding DDOS mitigation, as you know, one example, we protect small shops and websites against DDOS attacks for instance and we do that as a managed service knowing that an organisation, especially a small shop, they might not be able to afford dedicated security people. So what we do is we provide a full managed service 24/7, to make sure that if an attack is happening, we take care of that and the business doesn’t need to worry about it. It’s our job to make sure that the business stays safe and there are no outages actually.
So I mean the clear message is it’s not too expensive. You can do something about it, and you don’t have to be an expert in it yourself.
Not at all. Yes, absolutely, right, yeah.
Great. Well Marc, thank you so much for coming on and talking to me about the threat landscape to small and medium-sized businesses.
My pleasure. Thanks again.