Small and medium sized businesses face a greater risk of cybercrime and online fraud than larger enterprises. In this article, we discuss why smaller businesses are being targeted, how cyberattacks can be avoided using effective monitoring and the steps that should be taken if you discover that your business is at risk.
Cybercrime and fraud is big business, costing the global economy anything from $300bn to $1tn per year, according to online security experts McAfee. The National Audit Office estimates that cybercrime costs the UK between £18 and £27 billion every year. In 2013 the Federation of Small Businesses warned that one in ten small or medium sized enterprises had suffered a data breach at a cost of hundreds of millions of pounds, and the risk to small and medium sized businesses is growing.
Certain sectors have always been vulnerable to fraud, in particular finance. However, the growth of the internet and the mass digitisation of information have exacerbated the risks to other sectors and smaller businesses. In particular, the rapid adoption of virtualisation, cloud computing and mobile technology has made the systems used by even the smallest businesses complex and therefore vulnerable to sophisticated attacks.
Although digital risk management is vital to reduce exposure to online criminality and fraud, it is equally important not to lose sight of other more basic risk-management practices such as well drafted employment contracts and employment policies.
It would be easy to assume that large companies face the greatest threat from cybercriminals. However, evidence is mounting that small and medium sized businesses are under increasing risk.
In a 2013 address at Coventry University, a Ministry of Defence spokesperson is reported to have stated that cybercrime has effectively become state-sponsored and industrialised. The spokesperson also indicated that smaller companies are now the prime targets.
As businesses invest in newer IT systems, their growing complexity can provide greater opportunities for cybercriminals, so it is essential that security is high on the agenda during an upgrade.
Cybercrime and online fraud is generally perceived as an external threat, however businesses still face their greatest vulnerabilities from the inside. Awareness of this risk highlights the necessity for robust employment contracts and employment policies.
The ease with which digital information can be copied, downloaded or transferred elsewhere puts financial data, customer lists, intellectual property and commercially sensitive information at greatest risk from those with the easiest access. Employment policies backed by disciplinary procedures and appropriate terms in employment contracts can be useful tools for managing some of these risks.
In addition to deliberate criminality, poor policies and processes, lack of oversight or inadequate implementation and enforcement of policies can mean that even the most trusted employees leave valuable data exposed to cybercrime and fraud.
All internal systems and processes should be audited for cybercrime and fraud risk factors including both the practical policies and procedures necessary for day-to-day operations and the information technology systems that accompany them.
General risk management approaches should include basic elements such as employee background checks for new staff; know your customer (KYC) policies and employee training in areas such as anti-money laundering policies.
In addition, email and internet guidelines can significantly reduce the risks of cybercrime - GCHQ estimates that up to 80% of cyberattacks could be prevented with simple best practice procedures such as reporting suspicious emails.
Effective monitoring of digital and practical risk factors is essential for detecting and combating cybercrime and fraud. If fraud or a cybercrime attack is discovered there are two potential avenues for legal recourse. One is through the criminal law and the other through civil proceedings.
Businesses should seek immediate legal advice upon the discovery of cybercrime or fraud of any kind, as a fast response is essential. Freezing injunctions can be brought discretely through civil claims (i.e. without those perpetrating the fraud being informed) in order to prevent assets from being moved on. Disclosure orders and search orders can also be sought in order to locate stolen assets.
Civil remedies often produce faster results than the police can deliver; an important factor in the stage immediately following discovery of fraud or a cyberattack.
The significant increase in the use of cloud computing and mobile technology has increased the risk of cyberattacks on small and medium sized businesses. It is important for businesses to reduce their vulnerability by introducing basic digital risk management practices such as effective employment contracts and policies for internal threats.
Businesses that suffer from cybercrime or fraud attacks should seek immediate legal assistance for advice on the most suitable legal remedies. For specialist advice regarding the combating of cybercrime and fraud contact David Wheeler on 020 7353 1770.
For business legal advice and more information on regulatory compliance and interim injunctions, contact us online or call us on 020 7353 1770.