UK small businesses say cyberattack fears, not cash flow, keeps them awake at night


Proof-of-concept for exploiting Microsoft-NSA crypto bug available online
Two proof-of-concept exploits published for the CurveBall (CVE-2020-0601) vulnerability.

UK small businesses have revealed that potential cyberattacks or malware infections cause more worry than staffing or cash flow issues, according to new research. 

SMBs may not be as well-known or prominent as today’s enterprise players, but this does not mean they are at less risk of being targeted either by determined threat actors or having their systems infected by malware, whether by Trojans, ransomware, or other malware variants — all of which can cause serious disruption to everyday business operations. 

See also: WordPress plugin vulnerability can be exploited for total website takeover

Indeed, due to their size, SMBs may not have the resources or expertise required to maintain an adequate security posture and they may not have established procedures should a successful attack or infection occur. 

On Wednesday, new research (.PDF) published by cybersecurity firm Sophos suggested that in the UK, small organizations have woken up to the prospect of digital threats but have not caught up when it comes to protecting themselves. 

A 2019 survey conducted by Sapio Research on behalf of Sophos, made up of over 400 decision-makers in organizations of between 10 and 100 employees, found that 42 – 46 percent of executives, depending on the SMB’s size, view cyberattacks and malware infections as their biggest concern. 

CNET: Ancestry says police requested access to its DNA database

This is beyond staffing issues, pegged at between 35 and 45 percent; legislative changes at between 32 and 39 percent, and cash flow issues at between 28 and 36 percent.

screenshot-2020-02-05-at-11-59-06.png

Overall, 73 percent of UK SMBs use some form of business-grade security solution, but despite the awareness of cybersecurity risks, 62 percent of UK SMBs have also introduced consumer-grade security products and antivirus software — and this rate increased to 73 percent when decision-makers from the youngest companies were asked the same question. 

As consumer-grade software is generally designed to protect one or a handful of devices rather than business setups and networks, this alone may be opening up an avenue for attack. 

The trend toward Bring Your Own Device (BYOD) is still in play, with a lean towards startups and younger companies. In total, 59 percent of new SMBs allow personal devices to connect to corporate networks and 44 percent also permit third-parties and contractors to do the same. In comparison, only 33 percent and 6 percent of businesses operating for 16 years or more allow BYOD connections. 

TechRepublic: Why many security pros lack confidence in their implementation of Zero Trust

Age, however, does not mean an improved security posture, as 31 percent of organizations in this age range do not know which cloud services they use, and 31 percent are not aware of which file-sharing systems are used by staff to share information. In stark contrast, this drops to 13 percent and nine percent, respectively, for companies between one and five years of age.

When it comes to security policies, SMB management generally has a hands-on role, with 59 percent of respondents saying senior management defines IT practices including credentials management and network access rights. 

In 44 percent of companies, software updates are managed internally by IT staff, but 36 percent of UK SMBs also rely on senior management to make the call of what — and when — to update. 

Individual employees, however, are relied upon in one in five cases to install updates and to self-police in companies with fewer than 25 — or more than 100 — members of staff. An interesting point to note is that this rate falls to one in 10 when a company hires between 25 and 50 employees, according to the research.  

“It is inaccurate to say that smaller businesses are not as concerned about cyberthreats as their larger counterparts, or that an organization’s cyber risk profile can be defined simply by its number of employees,” says Adam Bradley, Regional Vice President UKI & Nordics at Sophos. “In fact, our research suggests that the biggest risk differentiator is years of operation, and that smaller firms do worry about cyberthreats — it’s just that this doesn’t always translate into secure behavior.” 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0




Source link