This article was first published in the September UK edition of Accounting and Business magazine.

It’s a worry that businesses across the world share: that a computer virus will get into the company’s IT systems and wreak havoc. Malicious software (or malware) can come in myriad forms, and the worst attacks can result in files being stolen, destroyed or locked, only to be unlocked on payment of ransom.

But the cost can be far more than just financial; reputations can also be left in tatters. TalkTalk, for example, was hacked in 2015, putting the details of 157,000 customers at risk, costing the company £60m and resulting in 95,000 customers going elsewhere.

While big businesses make the headlines following such high-profile attacks, it is smaller enterprises that are at most risk. SMEs have the weakest financial muscle to spend on cyber security, the fewest number of skilled staff and are more likely to believe they’re safe from attack. ‘The idea that it’ll happen to someone else is very much prevalent,’ explains Massimo Cotrozzi, head of cyber engineering and threat intelligence at Deloitte UK. ‘This thinking that you are too small for hackers to bother with shows a poor understanding of the threats.’

This naivety is highlighted by the Federation of Small Businesses (FSB)’s cyber-resilience report, which found that a startling 66% of small businesses were victims of cybercrime in 2014/15 – at an average of four times each. Many SMEs claim to take security seriously: 93% say they have measures in place. However, this is often just anti-malware software, usually bought off the shelf. ‘Many of the vendors oversell products,’ says Cotrozzi. ‘None are 100% able to stop malware, and there is no one thing you can buy that will make your business secure. SMEs are buying what the market is offering, rather than what the business actually needs.’

It can be frustrating for security experts to see old malware continuing to inflict damage. Conflicker, a botnet worm (see box), has been around since 2008 and remains prevalent. CERT-UK, the national computer emergency response team, cites this malware as the UK’s most common, with 530,000 incidents reported in 2015. In the US, data from security business Looking Glass shows that 27% of all botnet infections are Conflicker.

Maintenance regime

Such malware can be avoided by simply following good ‘cyber hygiene’, such as upgrading operating systems and installing patches. Yet too many businesses don’t do this. ‘A lot of people are still using an older operating system because it’s still doing its job,’ explains Becky Pinkard, VP of service delivery and intelligence at security business Digital Shadows. ‘They don’t understand the exposure and risk they face.’

Pinkard does have some sympathy for those struggling with cyber security. ‘Frankly, it’s difficult to do,’ he says. ‘Systems evolve at a pace that’s hard to match.’ Data from Looking Glass shows that malware has increased by 400% in the past five years. Every day brings new strains, and this challenge is especially hard for small businesses. ‘It requires a holistic understanding. There are many types of security, and finding people with the skills to bring it all together is very difficult.’

Risk assessment

Understanding the risks is vital. Cotrozzi sees common mistakes in the analysis of cyber threats. ‘Businesses are only thinking about prevention. What they need to do is understand that they’re already compromised. Instead of trying to prevent things, which is impossible, they need to put in place measures that ensure no damage is done to the organisation through the detection, reaction and eradication side of security.’

The Government’s Cyber Security Breaches Survey 2016 showed that while 69% of businesses said security was a high priority for senior managers, only 29% actually have a formal cyber-security policy in place, and a mere 10% have a formal incident-management plan. In the FSB survey, this last figure falls to 5%.

Underestimating the hacker is another mistake. Cotrozzi says many are ‘very skilled’ and have a sophisticated business model. There has been a huge increase in ransomware in the past year; some criminals even offer it through software as a service (SaaS). This malware locks the user out of the system until a ransom is paid, often in bitcoins or even Amazon vouchers. Given the charge is frequently quite low – typically about £400 – it may be tempting to just pay it. But the process will be repeated and criminals sell details of compromised systems to each other. Pinkard believes that, with ransomware, we’ve only seen ‘the tip of the iceberg’.

The hacker only has to identify one weakness that can be exploited, but the security side must attempt to protect everything. ‘We make sure we understand the risk profile of our clients, while simultaneously managing their expectations,’ says Pinkard.

Staff training can do much to reduce risk, and expert help is available. Good advice can be found on government websites such as the Cyber Essentials Scheme, and from organisations such as the FSB. Cotrozzi suggests employing highly skilled security consultants, the cost of which is less than that incurred when sorting out the mess left by an attack. Pinkard also says businesses must have an incident plan in place, as complacency is the greatest risk.

It has been said there are two types of company: those that know they’ve been hacked, and those that don’t yet know it. Any sensible manager would want to be among the former.

Matt Warner, journalist