Small businesses are under constant attack from malware, scams and online fraud.
They are not only losing money directly to fraud, but also in costs associated with maintaining security. Small businesses are simply woefully under-prepared to keep their assets safe. Despite reorganisation and redirected priorities, the police can still do little to help.
This all emerges from a report on the threat of online fraud to small UK businesses, released by the FSB. No, not Russia’s slightly cuddlier successor to the KGB; this is the Federation of Small Businesses, a UK pressure group representing the needs of small businesses, and providing a range of services to them, boasting over 200,000 members.
The study takes the form of a survey of a subset of that membership, covering their experiences of online fraud, their attitudes to how it affects them, and what actions they’ve taken to protect themselves.
Now, such studies are notoriously biased – asking people with a vested interest and minimal specialist knowledge what they think of a complex technical issues will always give some off-the-wall results.
This report contains some useful data though, both on what small business owners think has happened to them in the past, and on the parlous state of their cyber defences.
The report kicks off with a third-party figure of £18.9 billion lost to fraud by small-and-medium enterprises. This boils down to an average of just under £4000 per business in their study, although that covers all kinds of fraud. A previous analysis came up with a figure of £2900 for ‘normal’ fraud, hinting that the figure for online losses is over a quarter of the total.
On the plus side, 49% of businesses suffered no fraud losses at all, and only around 7% lost more than £5000. 10% reported incidents of card fraud, including ‘card not present’ problems associated with online trading. Such issues, along with the costs and complexity of PCI-DSS compliance, have apparently discouraged many businesses from operating online at all.
20% report ‘virus’ infections, with a further 8% spotting hacking or other ‘electronic intrusion’, and that’s only those that knew about the issues – 73% claimed they had had no problems.
It would be interesting to see how the list of victims overlaps with those who regularly apply security patches to software (a mere 36%), and those who regularly update their anti-virus software (a much higher, but still rather depressing, 59%). 17% claimed they took no actions to counter cyber-attack, from a lengthy list of options.
The figures contrast rather oddly with another survey published just a month ago, produced by the Department for Business, Innovation and Skills (BIS), who also partnered with the FSB on this report. That survey does cover all types of data breach and all associated costs though, rather than just the direct costs of fraud.
A lot of businesses have gripes about the banks, how little they do to help and how much they cost. They also claim the police don’t help much either.
Indeed, among the study’s headline recommendations are a need to ‘manage expectations around the police response to fraud and online crime by highlighting the benefits of reporting in terms of feeding into a wider intelligence picture’ and ‘Inform businesses what the police do not have the capacity to deal with so they can take preventative measures to help themselves more’.
This is basically admitting that if your businesses is robbed online, the police may provide you with a pat on the hand and a sympathetic “there, there”, but that’s about it – you should be dealing with this stuff on your own.
At least there is that encouragement to keep reporting issues so their levels can be monitored, which gives some hope that one day even the police will begin to sit up and take notice. The police’s centralised, outsourced Action Fraud reporting system is referenced.
The FSB study also provides a good, clear ‘ten top tips’ to help business owners protect themselves.
It includes the basics of running up-to-date security software, applying patches and using at least reasonably strong passwords.
Here is the FSB top ten tips:
- Implement a combination of security protection solutions (anti-virus, anti-spam, firewall(s))
- Carry out regular security updates on all software and devices
- Implement a resilient password policy (min eight characters, change regularly)
- Secure your wireless network
- Implement clear and concise procedures for email, internet and mobile devices
- Train staff in good security practices and consider employee background checks
- Implement and test backup plans, information disposal and disaster recovery procedures
- Carry out regular security risk assessments to identify important information and systems
- Carry out regular security testing on the business website
- Check provider credentials and contracts when using cloud services
This is a good start, but business owners clearly need a lot more help. In the UK at least, they may not be so at risk from the POS malware targeting their US cousins, but they face some serious issues.
Many of these problems are based on a simple lack of know-how and IT security illiteracy.
Sadly, even the best defenses can get breached, and there needs to be a stronger deterrent in the criminal system. With the internet involved, this means global action, which remains a rather distant dream.