Social engineering threats to small organisations

Every day we see headlines dominated by big name corporates falling prey to cyber-attacks yet we rarely hear about Small Enterprise cases where the danger is just as great and the consequences fatal. Micro-businesses (0-9 employees) represent 95% of all UK businesses, whilst small businesses (10-49 employees) account for less than 4% of businesses in the UK.¹ In the last two years, 66% of small businesses have been the victims of a cyberattack. Many of these threats result from social engineering, which is the act of manipulating people in order to gain confidential information or convince them to perform certain actions.²

According to Cyber Security Services provider PurpleSec³, 70% of these businesses are unprepared to deal with a cyber-attack. Three out of four small businesses blame a lack of personnel dedicated to addressing IT security threats, and over half of these say that no budget is allocated to cyber security whatsoever.⁴ The consequences are dramatic as 60% of these businesses fail or cease trading within six months of a cyber-attack.⁵

Micro businesses tend to be more exposed to cyber threats due to their status and working methods differing from those of SMEs. Most micro businesses work with third-party partners, which results in 41% of data breach root causes.⁶ Anyone can impersonate one of the external contributors, for example the supplier, and send to the business in question an urgent email regarding a delivery issue which require them to confirm confidential information such as names, addresses, or bank details.

Often employees in micro businesses use their own personal devices, which makes them more susceptible to such risks such as data loss, intellectual property theft and malicious apps.⁷ Also, their perception of online threats turns out to be erroneous - the SME Cyber Survey 2018 revealed that more than 8 out of 10 Small and micro-businesses didn’t see cyber-attacks or data loss as a significant risk to their business.⁸ In most cases, micro businesses consider themselves too small to be attacked, and believe that their sector is of no interest to cyber-criminals.⁹

Phishing micro-businesses is relatively easy

Phishing (49%) and spear phishing (37%)¹⁰ remain the most common form of social engineering attack targeted at small businesses. There is a strong and ever-present risk to micro businesses from social engineering attacks. Sales and marketing departments are tasked with seeking out new leads and opportunities, and when the sales department receives a new Purchase Order or inquiry with an attachment, usually without thinking that employee will click on the link or download the attached file.¹¹

Unlike a phishing email which is directed towards many victims, a spear phishing email is a targeted attack that identifies a particularly high value member of the company to “spear”. The targeted nature of this attack makes it more difficult to detect as an attacker tailors the content of their message to their particular target. CEO fraud is a typical example of spear-phishing email in which the attacker passes himself off as a CEO or another C-suite executive in order to obtain confidential information or to transfer money to a fraudulent account. Such was the case with the tech start-up Skimlinks.

One of the attacks aimed at Skimlinks involved an email address attached to an almost identical domain – the only difference being the capitalisation of a letter. The email had been written to appear as if it had come from within the company and targeted the company’s financial controller. Posing as a senior member of staff, the attacker asked for a five-figure sum to be transferred to an account.¹² The individual however was correct to ask a senior member of staff for clarification, avoiding a serious incident of social engineering.

The consequence for small companies ignoring the risks of phishing attacks can be fatal. It is within every businesses’ interest to develop a strong cyber security policy that mitigates threats instead of ultimately waiting for an attack to happen. It is crucial that these security measures are integrated into corporate culture, as it’s the responsibility of every employee to recognise and thwart a social engineering attack.¹³