Invest in the right tools and processes
Faced with determined cyber-crooks, firms should have a robust defence strategy in place. But according to the Federation of Small Businesses (FSB), only one in five actually prioritise cybercrime.“The primary problem is that many small and medium-sized enterprises don’t have a dedicated IT department to work on the constantly changing cybersecurity environment,” says Mike Cherry, FSB national chairman.
In the absence of such expertise, small businesses should seek external advice on the nature of the threats they face and the cybersecurity solutions they should procure.
According to recent research from IT and networking giant Cisco, the most common breaches small businesses tend to face are targeted attacks against employees (think well-crafted email phishing attacks), advanced malware attacks and ransomware breaches, where malware encrypts important data, usually until affected users pay cash to unlock it.
Most of these attacks emanate from unsolicited emails and so firms should consider steps such as using multifactor authentication to prevent attackers from gaining access to accounts or keeping software up to date, be it email gateways, apps, operating systems or browsers.
Training is key
Equally important is that all staff within an organisation receive cybersecurity training. Most cyberattacks emanate from human error, whether through using weak passwords, failing to spot dodgy links in emails or inadequately protecting data.
For example, firms should warn staff never to wire money to strangers and introduce strict protocols that require high-ranking authorisation of such transfers. Employees should also be in the habit of checking a sender’s email address against the message signatory to ask whether they match.
“It’s about a mindset, making sure it is part of the leadership culture,” says Dominic Trott, associate research director at International Data Corporation (IDC). “Employees tend to get it when you explain that if we don’t keep up with digital market dynamics, we could fall behind and potentially go out of business.”
There are many training resources, free and paid for, to help smaller firms strengthen their processes. Take the UK government’s Cyber Essentials guide, which identifies fundamental security controls to help defend against internet-borne threats. It says these steps will get rid of 80 per cent of the risk.
Meanwhile, insurers often offer more specialised training courses that, if completed by all members of staff, will lower the cost of the firm’s cyber-insurance policy.
Solutions don’t have to cost the earth
According to a poll from YouGov and Duo Security, a vendor of cloud-based two-factor authentication services and now part of Cisco, 47 per cent of small business owners consider cybersecurity to be too expensive. But Mr Trott says most businesses do not need to go for “Rolls-Royce” options to stay safe.
Incremental change is better than no change. In short, you should not let a desire to be perfect in your security approach get in the way of becoming better. Perfect, as in all things, does not exist.
Mr Trott also disputes the idea that cyberdefences will hinder a nimble small business from “finding new business opportunities and competing against the big fish”.
If anything, the fallout from a major cyberattack will be a much bigger drag on company growth, he says. And firms are misguided if they think tightening defences will kill their entrepreneurial spark.
Stephen Ridley, lead cyber-underwriter at insurer Hiscox, agrees and notes there is no need to abandon informal methods of working, such as using personal phones and tablets to send sensitive customer data or letting staff communicate for business via messaging apps. Clearly such practices can increase a company’s exposure to breaches, but they also cut costs and allow small businesses to do business in a way that suits them.
“You don’t need to banish these platforms. Employees just need to be conscious of the data they are sending on them,” says Mr Ridley.
Invest in a good cyber-insurance policy
With the cyber-threat evolving at breakneck speed, it is impossible to rule out the possibility of an attack and so small businesses will need to have a good response plan in place to minimise any damage caused.
The first consideration is reputational. If data is stolen, customers and regulators need to be told in a timely way and to know the company is doing all it can to rectify the situation. Otherwise trust will be damaged, potentially irreparably.
As for any financial losses, it is essential small businesses have good insurance in place, although Mr Ridley says the vast majority don’t bother, which leaves them exposed. A recent UK government survey estimated the average cost of a small business’s worst cyberattack will be between £65,000 and £115,000. And contrary to common belief, such losses are not always reimbursed.
It’s not only a breach that costs a company money, Mr Ridley adds. It’s also the increasing cost of compliance under the European Union’s tough new General Data Protection Regulation. For instance, if a hacker gains access to a staff member’s email account, they may also have obtained access to a huge amount of personal customer data, something the small business must report to the Information Commissioner’s Office.
“That means getting lawyers involved, undertaking more of an investigation to see what was compromised,” Mr Ridley explains.
Firms with insurance policies will be protected from the brunt of this, but those without policies will have to deal with the administration themselves, making the cost of addressing the incident exponentially higher. “It adds a massive layer of complexity,” Mr Ridley says.
Integrate new technologies carefully
New technologies including cloud computing, mobile working and data analytics have been a boon for small businesses, allowing them to streamline processes and automate administration affordably.
But small firms considering investing in new security tools must ensure they can be integrated with their existing solutions, as this will minimise the chances of a hack. According to the Ponemon Institute, 59 per cent of companies have experienced a data breach caused by one of their vendors or third parties. In a survey last year by Cisco, organisations that had to manage more vendors actually became less secure as a result, because a multi-vendor environment can be very complex to manage and attacks can get through the gaps.
Small businesses should ask themselves whether the cybersecurity tools they are buying are built with openness in mind or if they integrate well with others in terms of sharing data and threat intelligence. They should also consider whether they will have to do considerable API (application programming interface) work to make them gel with their existing enterprise software products.
A recent report from the UK government’s Cyber Streetwise campaign and KPMG found that 89 per cent of small businesses that suffered a cyberattack felt the breach affected their reputation, 30 per cent reported a loss of clients and a quarter were unable to grow in line with previous forecasts.
However, Mr Ridley and Mr Trott say they have seen a step change in attitude from small businesses over the last two years as many wake up to the risks. IDC data for Europe, for example, shows that spending on cybersecurity is growing roughly as fast at small businesses as it is at big companies, at just over 6 per cent.
Mr Trott thinks small businesses are not as ill-informed as some suggest; the key is making sure the laggards pull their socks up. “I am relatively optimistic. There are always those at the start of the journey rather than the end, but I think we are seeing small business take a more aggressive stance,” he concludes.