Hackers target 30,000 SME websites per day to spread malware

Small business websites have overtaken porn and gambling sites as cyber criminals' malware distribution tools of choice, according to Sophos director of technology James Lyne, who said the lack of skilled professionals to tackle this issue is leaving the UK wide open to attack.
Lyne (pictured left) told V3 the number of hijacked SMB sites being unwillingly used by criminals to spread malware has risen exponentially in 2013. "Interestingly, we're seeing about 30,000 new infected websites per day," he said.
"What's interesting about those web-based infections is that over 80 percent of them are actually small businesses – not porn sites, not gambling sites or any of the scarier types – but legitimate small businesses' websites that have been hacked."
Lyne highlighted a recent Home Office report revealing that SMEs spend as little as £200 per year on cyber security as a key reason for the pandemic, claiming even basic security measures could stop hackers in their tracks. "A lot of the time its an SQL injection that comes about because of poor security coding practices," he said.
The Sophos director added that criminals' tenacity is already causing massive damage to the UK economy. "Undeniably, billions of pounds a year are being lost and the majority of that falls to cuts to small businesses," he said, and predicted that the situation would get worse. "We're hitting about 250,000 new pieces of malicious code a day, which is a lot. By the end of the year I expect we'll hit the 300,000 mark," he said.
Despite the scale of the issue, Lyne said throwing money at the problem is not the answer. "Yes you could increase spending to get more security technology in but I advocate a different path, which is raising skills and awareness. This is because, while technology is critical to good security, it's useless if you don't have people with the skills to deploy it and if you don't have staff members who know what they should and should not click on."
Lyne said to truly solve the problem the UK government needs to increase the importance of cyber security in education. "We need general awareness, like the health and safety or sex education campaigns in school. We need that basic societal understanding about how to be good net citizens and we are not doing a good enough job of that," he said.
He added that as well as teaching children cyber best practice tips, the government must also work to increase the number of young people training to become cyber security professionals.
"We need cyber security and the security profession to be recognised like English, maths or science. It's a big statement, but given the state of the gap and the importance of these skills to our society across the board and our economy I don't think it's unreasonable," he said.
Lyne highlighted the ongoing shortage of skilled cyber security professionals as proof of his claim. "We have a huge problem as if you actually go and search for Infosec roles, you'll find most of them demand a minimum of at least two-to-three years experience and many five plus. We have this chicken and egg problem where everyone's looking for experienced people, but there aren't experienced people, just plenty of people who would like to get into it and can't, so its a self-perpetuating cycle," he said.
The Sophos director is one of many to highlight the UK's cyber skills gap as a key problem facing the country. The UK government spending watchdog the National Audit Office (NAO) released a report claiming the skills gap would last 20 years and would cost the nation £27bn a year.