Why Cyber Security is important for small businesses

Cyber Security – a business necessity, not just a nice-to-have

As technology offers small and medium enterprises (SMEs) so many more opportunities, so does it bring increasing and new cyber risks. For SMEs, the prospects in a digital world and the technical advances available are immense, but many severely underestimate cyber security vulnerabilities and the inevitable cyber threats, that can often lead to down-time, financial loss and even closure of businesses. From state-backed hackers and financially-motivated cyber criminals to simple negligence and unintended mistakes, cyber crime and security breaches come in many guises and the risks are greater than ever before.

Many SMEs may think they are too small to be attacked or that their business is too insignificant to be of any interest to cyber criminals. But cyber attacks are no different to a business premises being broken into by a thief for its petty cash tin – it can happen to any size business. SMEs can actually be particularly appealing to hackers. Because of their size, SMEs often lack the resources needed – technology, staff training, specialist knowledge – that provides the security needed. As a result, hackers find them easy targets.

It’s also worth noting that ‘WannaCry’, one of the most damaging hacks in 2017, was a random and untargeted attack. Businesses of all sizes fell victim because they’d failed to install up to date security patches, many smaller organisations were particularly vulnerable because they had older, unpatched systems.

According to the National Cyber Security Centre (NCSC):

“There’s approximately a one in two chance if you’re an SME that you’ll experience a security breach at some point.”

The key difference between a large corporate business and SME is that a cyber attack can cause severe disruption to a small business with devastating impact on daily operations and financial damage to the point that some businesses find they are unable to recover at all.

Compromised networks, data loss and regulatory fines

Since the introduction of GDPR, small businesses now have the same level of responsibility as large organisations to protect sensitive data they hold or process, but the risk of non-compliance (fines imposed) by an SME can potentially force its closure. Research conducted by the National Cyber Security Alliance revealed that 60 percent of hacked small and medium-sized organisations go out of business after six months.

Reputational damage

It’s not just regulatory fines that can prove costly to a business, data breaches can often cost a business through the loss of confidence from its customers, partners and suppliers. This is an indirect financial cost that, although may be harder to calculate, can be just as damaging with loss of business through the demise of customer, partner and supplier trust and damage to brand reputation. Having a reputation for poor cyber security can diminish new prospect and contract opportunities.

According to Gartner: 

“By 2022, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships.”

This means security credentials will be checked by potential partners and prospective customers before they consider working with a business.

What can be done

As SMEs face increasing pressure to prove their cyber security credentials and mitigate the high-cost risks of not safeguarding their business, a proactive approach towards cyber security means SMEs can take control of their networks and data. By attaining accreditation with a certification from the government-backed Cyber Essentials scheme, SMEs demonstrate to customers and prospects the measures they have taken to address cyber security and protect themselves.

The standard Cyber Essentials certification is the ‘first step’, helping businesses implement security; this self-assessment certification provides guidance on the cyber security fundamentals a business needs to have in place to be certified and certification bodies like Logically Secure not only checks the assessment, but helps and supports the business every step of the way in achieving its Cyber Essentials certification. 

Cyber Essentials Plus is the next step, and whilst it has the same simplicity of approach and protection requirements as the standard Cyber Essentials, it has an added hands-on technical verification carried out by certification bodies, which provides a greater understanding to the certification body and subsequently enables it to give more in-depth support and bespoke advice.

No security strategy can stop 100% of attacks, however the aim of the Cyber Essentials scheme is to raise the bar to entry, to your network and to allow you to demonstrate that effort to your customers. By passing a Cyber Essentials assessment, organisations are awarded a certificate and the permission to use appropriate logos on their website and various promotional medium.

The NCSC (National Cyber Security Centre) have determined that the majority of attacks come from exploiting basic weaknesses in IT systems and software, which could’ve been easy to defend against if the basic cyber security measures had been put in place.

Cyber Essentials covers the 5 key areas for basic ‘cyber resilience’:

  • Use a firewall to secure your internet connection
  • Choose the most secure settings for your devices and software
  • Control who has access to your data and services
  • Protect yourself from viruses and other malware
  • Keep your devices and software up to date

SMEs actually have an advantage over larger companies – their agility, which means they can adapt quickly, enabling them to be flexible and adjust to changes fast, whereas as large corporate organisation tend to have red tape and complex internal politics slowing them down and preventing quick change.

Develop a cyber security policy (if you don’t have one already!)

Cyber criminals are continually advancing their methods of attack, but a lack of employee awareness is a key vulnerability attackers still home-in on. 90% of cyber-related incidents are caused not necessarily by a lack of basic IT measures, but because of user interaction ie. employees’ lack of cyber security awareness.

Scoping

Any business needs to have a cyber security policy in place. All employees, current and new, then need to have sight of the policy and receive regular training. Training needs to be at an appropriate level for the varying departments. For example, an IT department will be more involved in the implementation of policies and cyber security and therefore should receive more in-depth training. Whereas office staff will need to understand good cyber hygiene and what risks they need to be aware of e.g. phishing emails, invoice scams, bogus boss emails etc.

Dealing with a cyber breach

As well as a cyber security policy, SMEs need to have an incident response and management plan in place. Whilst seeking to prevent cyber incidents is key, being prepared for a cyber breach is vital to how well and quickly a business is able to recover.

Cyber crime recovery potentially involves many steps, from identifying and containing the incident to fixing, recovering and learning from the event. This could involve a number of IT specialists or external technical services, potentially PR and legal specialists and a need to collate files and evidence and share sensitive data.

A case management tool is critical to any incident response and having the IR platform, CyberCPR, enables not only the collection and collation of data and gathering of evidence in a secure storage place; but it also provides the ability to communicate and share information on a need-to-know basis through a platform that is independent of any breached network.

Next steps

The NCSC offer great advice to businesses of all sizes, but has dedicated best practice information for SMEs. Along with its partnership with IASME to facilitate the Cyber Essentials Certification scheme, this is a solid place for any SME to start its first steps into cyber security and protecting its business.

Being prepared by having an incident response platform like CyberCPR in place provides a simple-to-use but effective case management tool, independent of a business’s network, and crucially features an area to record and store historical data that can be used as evidence and for analysis to learn from.

Finally, though none-the-less important, ensuring all staff are cyber-aware and trained needs to be factored in by any business. The NCSC also offer guidance on this within its ‘Small Business Guide’.

With the ever-increasing threat, of cyber security attacks, now is the time to protect your business against cyber crime and prepare for the inevitable.