Tesco Bank

Why SMEs Need to Look Beyond the Headlines of the Tesco Bank Cyber Attack

When large organisations such as Tesco Bank hits the headlines as a victim of a successful cyberattack or data breach, it can reinforce the perception amongst SMEs that they have little to fear. Why would a cybercriminal target a small organisation, when they can have a £3,000,000 pay day going after the likes of the supermarket chain? The fact is that SMEs are falling foul of the cybercriminals everyday, it just isn’t headline news. The difference is Tesco will survive such an incident whilst many SMEs will not be so lucky.

IBM says that well over half of all cyberattacks are targeted specifically against SME’s and according to the National Cyber Security Alliance in the US, 60% of SMEs who are hit with a cyberattack will go out of business in the following six months – due, largely, to the cumulative costs of dealing with a successful attack. Similar research is not available for the UK but there is no reason to believe that the situation here is any different.

Tesco has the money to ride the storm but when you consider the likely costs of refunding customer losses, the resources required to complete a thorough investigation into what happened and the inevitable legal costs, the financial impact is significant. Then you have the issue of reputational damage and how that will affect the ability to retain existing customers and attract new ones. Finally, if the genesis of this attack lies in negligence on the part of someone on the Bank’s staff, whether intentional or unintentional (and for most cyberattacks this is typically the case), a stiff fine will certainly follow.

Elizabeth Denham, the Information Commissioner, has made it very clear that she is determined to make companies pay attention to their data protection responsibilities and that she is happy to apply the stick to make sure they do. One saving grace for Tesco Bank is that the General Data Protection Regulation (GDPR) is not yet in force – because any fine under that law will in all likelihood be good deal higher.

Regardless, no SME can afford the financial cost, reputational harm and distraction away from their core business, that a cyberattack inevitably causes.

The fact is that no company is too big or too small to be of interest to cybercriminals who will happily steal whatever data they can get their digital hands on. Every bit of data – everything – has a value to the criminal. Often small businesses are not ‘main target’ but a conduit to a larger prize, being seen as the weak link in the supply chain. But simple information security precautions and practices can go a long way to making sure that businesses are much less likely to join the growing list of victims and much better prepared in the event that they are attacked.

Simple things make SMEs safer:

• Make sure employees are educated to the threat and are constantly reminded and updated.
• Use an effective filter for emails and do not open emails or attachments unless you know who they come from.
• Make sure that all electronic devices are promptly updated whenever security patches are issued.
• Ensure that a meaningful password policy is in place and enforced.
• That information security management is proactive.

As the digital world becomes ever more complex and yet more devices are added to IT networks, the opportunities for criminals are multiplying. Smartphones and tablets are as vulnerable to viruses as other computers. ‘Internet of Things’ devices which, though you may not realise it, are connected directly into computer networks, frequently have zero security. Social media sites are dangerous places where it is easy to pick up cyber infections, which can then be passed on to other connected devices – so if someone works and plays on a smartphone, the risk rises dramatically.

Be aware, be proactive and take action. Don’t be a victim of apathy or ignorance.