back to article Large UK businesses are getting pwned way more than smaller ones

Larger businesses in the UK are far more likely to be victims of attacks than smaller ones, according to a survey by the British Chamber of Commerce. Nearly half (42 per cent) of companies with more than 100 staff have been hit by information spillages, hackers or malware attacks. This figure compares to 18 per cent of …

  1. Anonymous Coward
    Holmes

    Or...

    Hackers tend to target larger businesses because of a bigger expected profit...

    1. BebopWeBop

      Re: Or...

      Yup the much quoted (although he alway denied it Willie Sutton - Sutton was asked by reporter Mitch Ohnstad why he robbed banks. According to Ohnstad, he replied, "Because that's where the money is." and in a later interview, reminiscent of many hackers

      Why did I rob banks? Because I enjoyed it. I loved it. I was more alive when I was inside a bank, robbing it, than at any other time in my life. I enjoyed everything about it so much that one or two weeks later I'd be out looking for the next job. But to me the money was the chips, that's all

    2. Tom Paine

      Re: Or...

      That's where they're wrong. There's a gigantic pot of gold guarded by a lot of teeny weeny firms whose IT is handled by the CFO's nephew who's "good with computers" in a particular industry sector, and when the financial fraudsters discover it, an awful lot of hedge funds are going to lose a hell of a lot of money...

      (WHOOPS! Did I say hedge funds?)

  2. sitta_europea Silver badge

    "More guidance from government and police about where and how to report attacks would provide businesses with a clear path to follow ..."

    ... even if that path doesn't actually lead anywhere. Personal experience. A lot of it.

  3. Anonymous Coward
    Holmes

    More likely just a case of security by obscurity...

    And that the rewards and prestige of hacking a larger organization are usually larger as well.

  4. Lotaresco

    I'm a computer security "expert".

    So, please feel free to ignore everything I say, just like the big corporates who hire me do.

    It's an odd business, advising businesses about security. Small businesses tell me it's all a rip-off and that they don't want to spend money on "consultants". The small businesses that think they can avoid security are the ones that probably need to pay some attention to it. Solicitors, insurance agents, internet cafes, pubs, clubs etc. For these businesses there is a tendency to under report incidents. Partly because they don't recognise when their systems have been compromised and partly because they are, as others have observed, not really of interest to anyone. Not enough assets. Also they tend not to have their assets in one place. They will have on-line banking but it tends to be separate from their billing, invoicing and payroll systems. Much of their financial work will be done in spreadsheets and then copy-typed into the on-line banking system. A type of air gap. That said there are criminals who target these sort of businesses and who get them to pay fake invoices, hand over their banking details, perform transfers for "security" reasons to the scammers accounts, of course, and the scammers get away with it.

    The medium large companies seem to be the ones where there's a perfect combination of laziness, tight-fisted attitudes and incompetence. They don't recognise they have outgrown their systems, they keep going and do silly things like hosting their own web delivery on the same system that processes their finances. Their IT support guys are behind the curve and do silly things like logging in as root over and over again. They have inadequate passwords, they password share and they like to work from home. Even in this day and age they use insecure protocols for remote access. They also tend to do things like having no separation between development and production systems (or usually have no concept of using a development system) and they take chances like patching live systems during office hours using a patch they downloaded at home and whacked on a USB stick. These organisations will often pay for security advice then ignore it, because it seems "a bit difficult" or "costly". However they won't have costed the proposal it will just be done by "gut feel".

    Larger business are also vulnerable because of the infinite money cage effect. A business with 10 employees has to be unlucky to have someone who will not care about their job to the extent that they will do something careless. A business with 1,000 employees is guaranteed to have some prize careless dopes on the payroll. The sort of people who will click on that link despite being told hundreds of times not to do it. When they happen to coincide with the manager too mean to keep the anti-malware updated and systems patched then bad things happen.

    1. Roland6 Silver badge

      Re: I'm a computer security "expert".

      Re: Even in this day and age they use insecure protocols for remote access.

      The trouble is small businesses are in the main bastions of MS SBS 2008 and later and are serviced by very small outfits who don't understand the need for continuous professional development and MS certification and (in my experience) are well behind the curve with respect to good security practise.

      One company I sometimes advise is on Server 2012, the problem is that they use MS RDS "out-of-the-box" - because that is the limit of the competence of the installer they used. So all the security for RDS, Exchange and OWA is as provided by default by MS.

      I suspect that many larger business'es also use the MS products largely out-of-the-box. So the question is more how do you make RDS access more secure? I'm not talking so much about password quality, but the fact that the server is exposed to the Internet via the RDS service and thus open to any zero day or unpatched exploit that someone can use against an MS server (running RDS and Exchange) via the open ports and services.

      1. Paul Crawford Silver badge

        Re: I'm a computer security "expert".

        "So the question is more how do you make RDS access more secure?"

        Again, I'm no expert but I would start by looking for cheap-ish routers (i.e. affordable to a small business) like some DrayTek ones that support a VPN and at least you have another access layer before the world+dog can have a go at the server's remote log-in port. Not sure if they support using a certificate for VPN log-in but that at least gets away from piss-poor password choice.

    2. Tom Paine

      Re: I'm a computer security "expert".

      Does being a contractor or independent consultant make the angst of being a permanent Cassandra, doomed to see the future but never believed, more bearable than being stuck in the bowels of a corporate brontosaurus? I'm starting to wonder whether enduring this soul crushing life might be less psychically corrosive if I was being paid enough to, oh, say, buy a TV or a stereo, or run a car. (To be fair I'd be better off if I didn't live alone in rented accommodation in one of the most expensive parts of the country, for reasons beyond my control, but it's getting pretty tiresome seeing kids in their 30s living the high life...)

      1. Lotaresco

        Re: I'm a computer security "expert".

        "Does being a contractor or independent consultant make the angst of being a permanent Cassandra, doomed to see the future but never believed, more bearable than being stuck in the bowels of a corporate brontosaurus?"

        The ability to walk away helps and it's necessary to move on every couple of years to avoid IR35 nonsense. It also helps to have multiple simultaneous contracts and to substitute in other people from time to time. All of this comes with expanding one's network of contacts by a sort of osmosis and it's quite pleasant to have friends who are all in the same boat and willing to step in to help from time to time.

        I also live in a high rent area, buying a house (AIEEEE the mortgage payments!) and running a car - that's essential - and I rack up tens of thousands of miles a year chasing work. I've been doing this since 1992, so I guess I'm happy with it. Much happier than I was being a wage droid.

  5. Anonymous Coward
    Anonymous Coward

    the missing middle

    "companies with more than 100 staff ... companies with fewer than 99 employees"

    What happens to companies with 99 or 100 staff then?

    1. Anonymous Coward
      Anonymous Coward

      Re: the missing middle

      Science tells us that compromise of systems in companies of exactly 100 people are statistically non-existent. For this reason, companies of exactly 99 people will almost always acquire another employee.

  6. Tom Paine

    TomPaine's First Law of IT Fail: the bigger the organisation, the greater proportion of the employees will be time-serving deadwood only useful for keeping chairs warm and chewing space on the SAN by emailing 500Mb Access databases to each other as backups.

    In the last couple of years I've come from a small team (under 20) of very clever, hard-working, diligent engineers who built and operate almost ten financial trading venues handling billions of dollars of trade a day in three years, to an org with a staff of 4000 where no-one knows how to update the DNS zone files, a portscan is considered a pentest, and the patching is so bad that during response to the Shadowbrokers we found multiple systems missing ten year old patches.

    (Incidentally, if anyone's looking for security manager for a lean, hungry, fast-growing org that doesn't hire cretins... )

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like