High Street retailer WH Smith is the latest victim in a wave of cyber-attacks on UK businesses. Hackers managed to gain access to employees’ personal data, potentially including names, addresses, National Insurance numbers and dates of birth.
“WH Smith takes the issue of cyber-security extremely seriously and investigations into the incident are ongoing,” said the stationery chain. “We are notifying all affected colleagues and have put measures in place to support them.”
Several big businesses have been targeted by hackers in recent months, including Royal Mail, sportswear chain JD Sports and car dealer Arnold Clark. Meanwhile, cyber-crime is estimated to cost the UK an eye-watering £27bn a year – and the threat is rapidly rising.
But it’s not just big businesses like these that are vulnerable. Cyber expert Andrew James tells the Business Cyber Centre that smaller firms are even more at risk.
“SME owners often think cyber-crime won’t happen to them,” says Andrew, who is head of business development at IT support firm Mintivo. “They think it affects large corporations, but actually they are even more at risk. It’s not a case of if a cyber-attack happens, it’s a case of when. Every business will suffer some kind of a data leak or attack at some point.”
Andrew adds that for a company to protect itself and grow, robust cyber-security is essential. Data breaches – like the recent one at WH Smith – can be devastating for a smaller firm. With the potential for fines, disruption to day-to-day activities and even reputational damage, they can even put an SME out of business.
“Data is big business for cyber-criminals,” explains Andrew. “Stolen employee information is often sold on the dark web, and it can then be used to commit identification fraud. The dark web economy is huge and sadly, SMEs are often more of a target for hackers. This is partly because their data may be easier to get at. If they are in a supply chain, they may also have links with bigger organisations and offer a route of entry to them.”
One positive message to come from the incident at WH Smith is that it hasn’t affected trading or its website. “There has been no impact on the trading activities of the group,” said the retailer. “Our website, customer accounts and underlying customer databases are on separate systems that are unaffected by this incident.”
Indeed, this highlights precisely why it’s so important to segment your network. In the event of a cyber-attack, it limits the potential for damage – a little like shutting the fire doors in a building slows the spread of the flames.
“Employees don’t generally need access to all the data in your system,” says Andrew. “In every business, it’s vital to think about who requires access to what information. Once you’ve established this, you need to segment the system down. For example, you ensure that people in finance only have access to finance information, and not marketing data. That way, if finance is hacked, criminals can only access a limited amount of information.”
Andrew adds, “Every business should have the right security controls to protect it from hackers. It’s about investing in the right systems and resources, thinking about your data – and about how it’s backed up.
“IT and Cyber-security are often seen as a costly hassle or frustration, but they shouldn’t be an afterthought. After all, this is what keeps your business online, drives efficiency and protects the data that’s created as you grow.”