How Small Businesses lose nearly £800 million a year to Cyber Crime according to FSB
The Federation of Small Businesses recently polled its members on if they have been hit by cybercrime. The results show that some 41% of FSB members have been a victim of online crime, most of which have been virus infections. The results also show that 8% of members have been a victim of hacking and 5% have had a security breach.
Although at face value hacking and a security breach are interchangeable, it can likely be assumed that ‘security breach’ represents lax control of passwords such that they are given or obtained to unauthorised individuals through no skill at programming.
The Federation claims that £785 million is lost a year to these attacks; a figure which seems overly large to me.
There exist viruses which will record keystrokes and thus can be used to obtain banking details. Online banks are aware of this threat however and have implemented the following safeguards:
- A move to authenticators which are physical devices that cannot be reached by online criminals and produce a different passcode for each online banking session. If a keylogger records and sends this password then there is no threat as the next session will require a different code.
- If the customer declines to use an authenticator, online banks will ask for certain characters from a password. Each session will ask for different characters. Although a determined keylogger will eventually record each character of the password, there is still a huge obstacle to overcome for the would be bank account hacker in that the passwords are long (typically 14+ characters) and randomly generated. The requested characters are also random and not asked for in order. Essentially the hacker would have to work through some 14!(factorial) potential passwords; .
- Banks are also pushing the security software Trusteer Rapport onto their customers to further protect against fraud.
The other major threat from a virus would be if the infected computer was put completely out of action. If the small business owner did not have the foresight to backup their files there is the potential for loss of information important to the operation of the business. It would be a rare and potent virus that could render this data completely unrecoverable however. If the small business owner does not have the know-how to carry out a recovery him/herself then data recovery businesses can carry out the service for around £200-300.
The two aforementioned scenarios are both relatively rare; the typical virus infection is mostly harmless and easily fixed with free antivirus software. Overall the average cost incurred to a business per virus infection is very low.
For a small business, hacking generally refers to a compromised website. As noted by the FSB, two thirds of businesses do not use their website for sales. At worst this will result in no more than defacement; electronic graffiti that is easily cleaned away.
For those businesses that do use their website for sales, there are two key threats:
- Hack renders website inoperable resulting in loss of income. However; it would be a very rare breed of web developer that has the proficiency to install an effective online sales system without having in place a procedure to deal with site backups & restoration in the event of an attack.
- Sales system hacked to give false orders. If the company distributes products with no proof of payment then I would say its not cybercrime, but poor company procedures that cause the loss in this scenario.
Add in the fact that by the virtue of their size, small businesses are far less likely to be targeted, but are most likely to be hit in blanket attacks and the loss of approaching 1 billion a year is starting to seem an exaggeration.
My opinions come from experience, as our company, BPM Maintenance, has been the target of hacking attempts. However, the cost incurred to the business has been negligible.
The strangest part of this study though is its intentions. Certainly, keeping businesses aware of the risks and necessary precautions is a worthy goal, but at what cost? The FSB claim they are concerned that the cost stated is even greater due to smaller firms refusing the trade online due to security concerns. Highlighting the large losses incurred by small firms from online crime is not likely to alleviate those concerns.