Viewpoint: Small firms prove to be weak link to hackers

Small businesses - those employing a few hundred people or less - are increasingly becoming the target of hackers.

They may not think they have any data worth stealing but even the smallest company can be custodian to information that represents hard cash to criminal gangs: credit card details, customers' names and addresses, or the designs vital to an innovative start-up - all have a ready criminal market.

When attention grabbing headlines such as "UK suffering 1,000 attacks an hour" are reported there is a tendency to assume this as an issue only for the larger enterprises; household names that we think of as the powerhouse of our economy.

However, that is a dangerous mistake to make.

There is mounting evidence that small businesses could be our Achilles heel when it comes to cyber-security. And, it is these small businesses which are the foundations upon which our economy rests: destabilise them and everything else comes crashing down.

Over the past 12 months a number of surveys have emerged which suggest that in excess of 60% of these small businesses have suffered some form of successful malware attack.

When you realise that even basic security precautions will result in the majority of attacks "bouncing off", you begin to understand they must be quite poorly prepared for the hackers to be so successful.

It's not entirely surprising that small businesses are quite so poorly defended.

Someone running a small business is not necessarily going to have security as their main priority.

They are typically entrepreneurs not security experts. Money is always tight and there is a natural dynamic tension between need and cost.

You can see which way the tension is tending when you read in the same surveys that nearly 20% of small businesses only concern themselves with cyber-security following an intrusion. More worrying still, one report indicates that 10% of small businesses would have no way of knowing if they had been successfully attacked.

Criminals also recognise that smaller businesses can often be a way of reaching onward to the larger firms.

It is as true now as it ever was that the weakest part of a chain is where you should attack, and the supply chains in our modern global, hyper-connected economy are highly extended and, for larger international corporations, you can have upwards of 5,000 to 10,000 smaller suppliers inputting to your end products and services. That represents a lot of potential back doors.

To date, selling security software has been akin to selling insurance.

Sadly the perception is that it will "never happen to me" so smaller businesses put off what they see as a significant expense for what they see as a very remote eventuality.

There is even a suggestion in some surveys that smaller businesses are tempted to use unlicensed security software, or, worse, that which they are offered for "free".

Unfortunately, such software is far from a protection but is sometimes the very vehicle for carrying malicious software into the companies systems.

You should use "free" software only if you are sure it is from a reputable company, and that the company which built it provides it directly.

As smaller businesses feed the larger businesses, those larger businesses are becoming acutely aware that potentially valuable assets could be at risk somewhere further down their supply chain.

Take for example a car manufacturer which designs a cutting-edge headlight design.

They don't fabricate the lights themselves but pass the designs to a smaller manufacturer who in turn may subcontract elements of the manufacture.

That cutting-edge design, worth considerable sums in intellectual property, can end up with a relatively small business and is then protected using only their security, not that of the large car manufacturer.

Hence, if a small business is to join part of one of these large supply chains, they can differentiate themselves from the competition by demonstrating that they can protect the intellectual property entrusted to them to the same degree as it is protected at the start of its journey.

An emerging trend is for those who disseminate valuable intellectual property to large distributed supply chains to track and audit who has access to what data. If the smaller business proves to be a source of a leak then they will not be in that supply chain for very long I would suggest.

Small businesses cannot put off considering cyber-security any longer.

Just as you hire in expertise for doing the accounts, there are many who can advise on the best way to protect you and your clients' valuable data.

Failure to do so will ultimately cause the business to fail either through direct losses from an attack, or from being dropped by customers who feel their data is inadequately protected.

Alan Woodward is a visiting professor at the University of Surrey's department of computing. He has worked for the UK government and consults on issues including cyber-security, covert communications and forensic computing.