Espionage-as-a-service: Brewing up a new threat to UK small businesses.
There was new research from the Home Office led Cyber Streetwise programme last week.
The latest poll shows that only 16% of small businesses in the UK said that improving their cyber-security was a “top priority” for 2015. 66% of businesses “don’t consider their businesses to be vulnerable” and more than three-quarters don’t understand the new cyber security threats.
Depressing news? Yes, but it’s hardly unsurprising to those of us at the “coal face” of the Infosec industry.
I was talking to a customer recently who runs a micro-brewery based in the UK. The real ale industry is not the first business type that springs to mind when people discuss typical industries under threat of a cyberattack.
My customer mentioned that he had heard an interesting story in his circle – another contact had been approached by an ex-employee of a neighbouring brewery. Would the contact be interested in someone gaining access to the CRM system and network of this big competitor – for the right price of course?
The microbrewery industry has seen a huge growth of the last five years, with many new entrants into the market, some powerfully established big players and a growing base of trade and retail customers. It’s such a tight and competitive market, that the offer of any unauthorised information would be like gold dust to the right person, someone who had a desperate need for this intelligence to improve their competitive advantage.
Apparently the brewery business declined the offer. And my customer hasn’t heard anything since, but assumes the authorities alerted and the competitor informed.
This idea of a “hacker for sale”, “mercenary hacker” or “espionage as a service” (EaaS) is usually referring to highly organised criminal groups, who have high levels of skill and are able to evade discovery by a variety of specialist skills. According to Jeffrey Carr, president and CEO of cyber security firm Taia Global, who has written a report on the subject,“the low risk of discovery…and growing demand of their services ensures that the EaaS threat actor will flourish in the coming 12 to 24 months.”
But, as the anecdote reveals above, small businesses and regional and national manufacturers are also at risk of the same type of hacking attack, if on a much smaller scale.
Small businesses are not taking the most simple of security measures – many clients are completely oblivious to the fact that they HAVE been hacked in the past, and they also have no way of knowing what information has been stolen, and how far it has been disseminated.
Any business that has confidential information (and who doesn’t?) is at risk from cyber criminals – maybe disgruntled employees or other hackers who are after an easy way to earn a quick buck. This new type of “threat actor” needs to be publicised to the small business community.
Companies are obviously wary of publicising the fact that an attack has been attempted or been successful. If they openly shared this information with the authorities and within their trade – it would bring a much higher profile to the risk of cyberattacks, and destroy some of the old myths continuing to dog the cyber security industry.
The Cyber Streetwise programme discovered that 22% of small businesses still believe the myth that small companies aren’t a target for hackers. Again, as we show over and over again, the truth is that small businesses are a bigger target than ever because they typically hold far more data than the average consumer, but often don’t have any additional preventative measures in place to protect themselves. Last year 33 percent of small UK businesses suffered a cyber-attack from someone outside their business. As suppliers, they are also a route in to larger companies.
And as for the microbrewery? I asked my competitor to check with his circle of contacts to find out the actions that have been taken by the authorities and industry to prevent another “mercenary hack” offer. I’ll keep you posted…
Next week – A little voucher makes a big difference – a quarter of small businesses think that cyber security is too expensive to implement – how innovation vouchers may help SMEs to overcome this stumbling block.