We are all used to the headlines where large organisations, such as banks, fall victim to cyber-attacks in which customers’ personal information is compromised and the cost to the organisation is substantial.
Less well publicised are attacks on smaller organisations. The lack of noise is surprising when you consider that 74 per cent of small businesses have suffered a cyber security breach, according to the PricewaterhouseCoopers 2015 Information Security Breaches Survey (up 60 per cent year-on-year), with four as the median number of breaches suffered by SMBs and an average cost of between £75k and £311k. Of those affected, 38 per cent suffered from viruses or malicious software while a further 16 per cent were hit by a denial of service attack.
While SMBs do not have vast resources to plough into cyber security, ensuring that they remain vigilant to an attack and improve their resilience should be a top priority. So where should you start?
An SMB’s employees should be at the centre of any cyber resilience strategy, not least because around 80-90 per cent of all incidents start with either a phishing and or social engineering attack i.e. someone opening a link or attachment contained in an email or unwittingly giving up a piece of sensitive information. This vulnerability can be limited through less expensive, more cost effective education and learning awareness programmes aimed at employees, so long as they are not implemented as a ‘tick-box exercise’ in terms of compliance. Make sure that awareness programmes are fun, engaging and relevant to the audience.
Education should also not just be focused on employees in operational, front line roles, but should begin at the top of the business in order to set the tone that cyber resilience is something that is taken seriously and supported so that initiatives can be successfully driven down. This approach allows management at the top to identify what the key weaknesses are in order to mitigate against staff actions that are likely to expose them and develop the correct training materials.
It is also important for SMBs to remember that our adversaries will always adapt and find new ways to breach security defences. It is therefore vital to maintain vigilance against attacks which will mean educating staff on new practices and ensuring refresher training is scheduled in regularly. Building cyber security training into induction packs for new starters can be a good starting point, but it must be backed up with regular, ongoing awareness on good cyber behaviours.
SMBs that collect customer data are at particular risk of attack. If that data is lost or stolen, you can be fined. In a worst case scenario, a company can be fined £0.5m, which is more than sufficient to put many small companies out of business or damage their reputation irrevocably – again, potentially jeopardising the business altogether. In addition, if your company is expanding – and will contain bigger and more lucrative companies in the supply chain – it becomes imperative to invest in cyber resilience as a “business as usual” activity. Smaller companies are often attacked because they offer an easy way into their much bigger and more lucrative suppliers and clients.
Finally, if you are considering cyber risk insurance, recognise that it’s very difficult to price and may not cover you for all eventualities. Equally, having cyber insurance doesn’t mean that you can forget the risks and carry on as normal.
In summary, there remains a dangerous myth that small businesses are immune to cyber-attacks. It does not always need large amounts of investment to effectively protect against an attack – employee education and awareness training will usually be more cost effective and useful than implementing costly systems that can be brought down by the actions of an uninformed employee. If your business is online – and regardless of whether your company is big or small – you’re a target for cyber attackers. Choosing whether or not to spend money on cyber resilience is no longer a choice.
Mark Logsdon is cyber resilience expert at best practice solutions firm AXELOS