According to the latest Zurich SME Risk Index, almost one in six UK SMEs have fallen victim to cyber attacks in the past year, costing a fifth of victims over £10,000 and 1 in 10 over £50,000.
It’s clear no SME should gamble when it comes to cyber security, especially with the new GDPR regulation in force. Delaying action will put your business, your employees and your customers at risk.
It may seem like a challenging task but as Adam Louca, Chief Technologist – Security at Softcat explains, there are simple and affordable ways small businesses can strengthen their cyber defences.
1. Put the best cybersecurity measures in place
According to a survey by YouGov for Barclays Business Banking, more and more SMEs are being targeted by impostors trying to extract hard-earned cash from entrepreneurs. 44 percent of small to medium-sized enterprises have been targeted by criminals and almost one in four had fallen victim to fraud.
Considering these findings, every small business owner, together with senior employees, should take a frank look at what data the company holds, who it belongs to and current levels of protection. This will make your vulnerabilities more transparent and give you a clear starting point.
There are simple and proactive steps you can take to defend yourself. For example:
- Ensuring all company devices are encrypted and can be remotely wiped if lost or stolen,
- Using cloud technology to create data off-site back-ups, and
- Employing a system of network privileges such as graduated access to sensitive business data.
- Checking your systems are patched, and anti-virus software is up to date.
2. Equip your staff
Ask any security professional what the biggest risk is to your cyber defences and they’ll tell you a company’s weakest link in the security chain is very often its own people.
Human error is one of the biggest factors to contribute to cybercrime and it can have a huge impact on SMEs.
This is because when you’re a small organisation, it’s usually the business itself that ends up having to cover the cost of security breaches, representing a lost investment in jobs, training and workplace equipment.
In fact, a rough calculation reveals more than 50,000 people who work for an SME, have lost their jobs due to the impact of cybersecurity breaches.
It’s all very well making sure employees are on board with new security measures, but if they lack the skills they need to defend business systems and data, having buy-in is practically useless.
Inevitably, every business, no matter what its size, will have digital front-runners, followers and those who are slower to adapt. To cater to all three, regular training workshops hosted by in-house or outsourced experts are a must.
New techniques, such as social engineering, exploit people’s trusting nature by simulating real-life scenarios with the aim of manipulating them to give up confidential information voluntarily. This is a common scenario in offline crime; even in ‘real-world’ situations, physical protections like locks and alarms mean nothing if you trust the person at the front door.
Test how well your employees can put their cyber security skills into practice. For example, companies today often send fake spear phishing emails to the internal network to see who clicks on the links or attachments and who flags it to the right person.
Ensure all staff, both those on-site and working remotely, are kept fully informed of any updated protocols. This helps to keep defences strong and promotes accountability. Having a clear reward and disciplinary process gives employees an extra push to make the right decisions when it matters.
3. Build customer trust
Research shows 60 percent of SMEs who were victims of cyber-attacks did not recover and shut down within 6 months.
While it’s true a dent in the company’s reputation is a hit for any size company, large organisations generally have more resources to handle a crisis. They often possess a large legal team and PR firms to employ crisis communications.
Devoid of such additional, financial resources, SMEs often suffer more from bad press and the loss of hard-earned business and customers can have an even more catastrophic impact.
Loss of private data can also result in huge fines from authorities, which might be absorbed by a larger company, but devastate a smaller business.
There’s a long way to go when it comes to winning back customer trust, so it’s important to view them as an extension of your business from the start.
Take the time to get to know your customers, monitoring for abnormal behaviours or transactions and alert them quickly if you have any suspicions. If you’re wrong, they are unlikely to mind as it shows you care about their safety, as well as your own.
Transparency is important if the worst-case scenario does happen. Make sure to tell every customer as soon as possible, giving the estimated date of the breach, a jargon-free summary of the incident, information on the nature of the data stolen and the measures you’ve taken to limit the damage.
Another good thing to include is a list of actions they can take to mitigate any further damage (e.g. changing passwords and logins or installing software updates). If you follow the correct process, a breach is unlikely to cause lasting damage to your reputation.
Applying for a government-backed Cyber Essentials Certificate (costing around £300 +VAT) can show also your customers you’re taking cyber security seriously.
4. Don’t forget your supply chain
The more stakeholders involved in digital supply chain activities, the greater the potential for cyber security risks. Sharing information with partners is essential so the answer isn’t holding back on outsourcing, but to implement the correct systems and checks at every stage of a partnership.
Take the time to really understand your business relationships. Which vendors are using what data, how are they using it and what protections do they have in place?
Certifications of ISO standards such as ISO 27001, represent a high level of competency and provide a point-of-reference for the proper handling of information security. When taking on new partnerships or contracts, find out if they have a certification and if so, ask to see proof.
Consider adding a contractual obligation for instant notification if a breach occurs and a clause indemnifying you from loss due to a security law.
Every supply chain risk management strategy should include regular third-party audits, like sending out simple questionnaires, to get written confirmation of security protocols. In the worst-case scenario, you’ve got a paper trail to prove you take security and GDPR requirements seriously.
Whether a business is large or small, if it holds valuable data, it could be a target. Security defences are no longer the property of big businesses with well-funded budgets; every SME needs to have a robust and proactive strategy in place for information security.
More from ByteStart
ByteStart is packed with help and tips on all aspects of starting, funding and running your own business. Check out some of our most popular guides;
- 5 things you must do when you go self employed
- 10 advantages running your business as a limited company has over being a sole trader
- How to set up a limited company
- A Guide to Bookkeeping for new business owners
Funding your business
- How you can use asset finance to grow your business
- 5 Ways to unlock finance for your startup
- How to prepare your business for crowdfunding
- 6 Things you need to know before launching a crowdfunding campaign for your business
- Revolving Credit Facility – The short term funding solution every small business owner should know about
- What is Invoice Finance and how can it help my business?
- Use this 12-Step Action Plan to stop customers from paying you late
- A Guide to business credit cards and using them as a short term funding solution