Only 36% of small firms apply security patches. No wonder cybercrooks are stealing their cash

Filed Under: Data loss, Denial of Service, Featured, Malware, Security threats, Vulnerability

Small businesses are under constant attack from malware, scams and online fraud.

They are not only losing money directly to fraud, but also in costs associated with maintaining security. Small businesses are simply woefully under-prepared to keep their assets safe. Despite reorganisation and redirected priorities, the police can still do little to help.

storefronts

This all emerges from a report on the threat of online fraud to small UK businesses, released by the FSB. No, not Russia's slightly cuddlier successor to the KGB; this is the Federation of Small Businesses, a UK pressure group representing the needs of small businesses, and providing a range of services to them, boasting over 200,000 members.

Survey synopsis

The study takes the form of a survey of a subset of that membership, covering their experiences of online fraud, their attitudes to how it affects them, and what actions they've taken to protect themselves.

Now, such studies are notoriously biased - asking people with a vested interest and minimal specialist knowledge what they think of a complex technical issues will always give some off-the-wall results.

This report contains some useful data though, both on what small business owners think has happened to them in the past, and on the parlous state of their cyber defences.

Stats

The report kicks off with a third-party figure of £18.9 billion lost to fraud by small-and-medium enterprises. This boils down to an average of just under £4000 per business in their study, although that covers all kinds of fraud. A previous analysis came up with a figure of £2900 for 'normal' fraud, hinting that the figure for online losses is over a quarter of the total.

36%_smbOn the plus side, 49% of businesses suffered no fraud losses at all, and only around 7% lost more than £5000. 10% reported incidents of card fraud, including 'card not present' problems associated with online trading. Such issues, along with the costs and complexity of PCI-DSS compliance, have apparently discouraged many businesses from operating online at all.

20% report 'virus' infections, with a further 8% spotting hacking or other 'electronic intrusion', and that's only those that knew about the issues - 73% claimed they had had no problems.

It would be interesting to see how the list of victims overlaps with those who regularly apply security patches to software (a mere 36%), and those who regularly update their anti-virus software (a much higher, but still rather depressing, 59%). 17% claimed they took no actions to counter cyber-attack, from a lengthy list of options.

The figures contrast rather oddly with another survey published just a month ago, produced by the Department for Business, Innovation and Skills (BIS), who also partnered with the FSB on this report. That survey does cover all types of data breach and all associated costs though, rather than just the direct costs of fraud.

Police action

A lot of businesses have gripes about the banks, how little they do to help and how much they cost. They also claim the police don't help much either.

Indeed, among the study's headline recommendations are a need to 'manage expectations around the police response to fraud and online crime by highlighting the benefits of reporting in terms of feeding into a wider intelligence picture' and 'Inform businesses what the police do not have the capacity to deal with so they can take preventative measures to help themselves more'.

foot on mom and pop shopThis is basically admitting that if your businesses is robbed online, the police may provide you with a pat on the hand and a sympathetic "there, there", but that's about it - you should be dealing with this stuff on your own.

At least there is that encouragement to keep reporting issues so their levels can be monitored, which gives some hope that one day even the police will begin to sit up and take notice. The police's centralised, outsourced Action Fraud reporting system is referenced.

Top tips

The FSB study also provides a good, clear 'ten top tips' to help business owners protect themselves.
FSB logo
It includes the basics of running up-to-date security software, applying patches and using at least reasonably strong passwords.

Here is the FSB top ten tips:

  • Implement a combination of security protection solutions (anti-virus, anti-spam, firewall(s))
  • Carry out regular security updates on all software and devices
  • Implement a resilient password policy (min eight characters, change regularly)
  • Secure your wireless network
  • Implement clear and concise procedures for email, internet and mobile devices
  • Train staff in good security practices and consider employee background checks
  • Implement and test backup plans, information disposal and disaster recovery procedures
  • Carry out regular security risk assessments to identify important information and systems
  • Carry out regular security testing on the business website
  • Check provider credentials and contracts when using cloud services

This is a good start, but business owners clearly need a lot more help. In the UK at least, they may not be so at risk from the POS malware targeting their US cousins, but they face some serious issues.

Many of these problems are based on a simple lack of know-how and IT security illiteracy.

Sadly, even the best defenses can get breached, and there needs to be a stronger deterrent in the criminal system. With the internet involved, this means global action, which remains a rather distant dream.


Image of small businesses and small business crushed by foot courtesy of Shutterstock.

, , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.