The aggressive cyber-targeting of UK SMEs has spiked in the last two years and yet, outwardly at least, an eerie sense of calm still prevails. Every now and again a rumble from this increasingly damaging conflict is heard beyond the world for commerce in reports of extortion and DDoS but it's hard to escape the feeling that SMEs are being left to quietly fend off the attacks on their own.
Nobody has an accurate tab on the scale of successful attacks - many SMEs keep these to themselves for fear of negative publicity - but stories drip out from time to time of real businesses in London and beyond that have been being hurt by a tide of invoice fraud, DDoS attacks, extortion demands, web incursions and relentless bank phishing.
Most of the evidence is simply by studying the level of targeting and inferring the damage it must be causing for that criminal business model to be sustainable. A telling recent example of this was an alert put out in March 2016 by Action Fraud on a surge of extortion attacks aimed at small businesses by a group calling themselves the 'RepKiller team'. The MO was pretty brazen: SMEs were told to pay a Bitcoin ransom equivalent to £300-£500 or they would be hit with unspecified cyberattacks and an automatic campaign of negative online reviews of their services.
The significance of RepKiller is the design of its extortion. Most extortion attacks are based on some kind of demonstration of the power of a criminal group to hurt the target, usually using DDoS to disrupt websites or servers. With this campaign it seems that the criminals are now so confident of achieving economic success they have dispensed with the need for shock and awe. That should be a warning light.
London Digital Security Centre
Times are challenging, then, but perhaps it's not all doom and gloom. A small but possibly significant clutch of organisations has started mobilising with the aim of giving smaller organisations a place to start re-thinking how they approach cybersecurity from the ground up. One such body is the London Digital Security Centre (LDSC), headed by a quietly-spoken Californian, Patrick Nuttall, seconded from his job working for KPMG's Cybersecurity team.
Nuttall and the LDSC started work almost a year ago after being handed two years of setup funding from public money as part of the Mayor's Office of Policing and Crime (MOPAC), reflecting a worry that the issue of SME cybercrime was starting to overwhelm the outreach capabilities of police agencies such as the National Crime Agency (NCA), Metropolitan Police and City of London Police. Police cybercrime units were designed to gather intelligence, pursue criminals and follow trails of evidence with a view to eventual prosecution. What they were never set up to do is advise enough London-based businesses on a timescale that would significantly boost prevention.
Sign up for CIO Asia eNewsletters.