Research published this month has found that many small firms are still not doing enough to protect themselves. The survey by Barclaycard of over 250 small businesses found that just one in five rank cyber-security as a top business priority, despite previous government research having found that the average cyber-attack on a small business costs between £75,000 and £311,000, including lost sales, business disruption and compensation pay outs.
The myth that small and medium-sized businesses don't face a threat couldn't be further from the truth. For a hacker, small and medium sized organisations are seen as easier targets as they believe less is being done to protect data. This data might be information about clients, customer details, bank details or it might be as a way into one of your customers' systems where you are linked through e-commerce, by email or in some other way.
A 2015 HM Government report confirmed that 74 percent of small and medium-sized enterprises reported a security breach. However, only seven percent of small businesses expect information security spend to increase in the next year.
Not all threats are external. In fact, many cyber-related losses suffered by UK SMEs come from within, for example, when employees deliberately misuse data. Sometimes the damage is unintentional, for example, when an employee accidentally corrupts valuable data.
Ransomware affects both SMEs and individuals alike. Hackers are intelligent – they do not ask for millions from their victims but instead ask for a sum of money that is significant but acceptable to most people. Arguably, it might be easier to target many SMEs and demand relatively small payments, than target a large conglomerate and ask for a huge bounty.
The weak point is the user who clicks on links in emails or opens attachments. This is when the vicious circle beings. Before paying the ransom to get back to “normal” operations, just remember there are many gangs out there who will share your information. The evidence that you are willing to pay will quickly be passed around to other similar groups.
Brexit or no Brexit, the issue of cyber-security for small businesses is made even more pressing by new European regulations aimed at protecting customer data. The EU's new General Data Protection Regulation will come into force in 2018 and could result in companies being fined up to €20 million or four percent of their annual turnover, whichever is greater, for allowing any security breaches to compromise their customer data.
Taking all of this into consideration, what are some basic steps that SMEs can take to better protect themselves?
Keep software updated: Download software and app updates as soon as they appear. They contain vital security upgrades that keep your devices and business information safe. Many instances of hacking have relied on businesses not staying updated with software patches.
Make passwords stronger: Use strong passwords made up of at least three random words. Using lower and upper case letters, numbers and symbols will make your passwords even stronger. You could also consider using a password generator. Why not develop a company policy on strong password practices?
Be vigilant with emails: Delete suspicious emails as they may contain fraudulent requests for information or links to viruses. Unsolicited emails often contain attachments or hyperlinks (particularly shortened links); many phishing attacks attempt to trick you into opening a file loaded with malware or to visit a site which runs malicious scripts on your computer
Install anti-virus software: Your computers, tablets and smartphones can easily become infected by small pieces of software known as viruses or malware. Install Internet security software like anti-virus on all your devices to help prevent infection. Don't settle for free or ‘lite' versions but go professional; spend a little bit of money, it's a wise investment.
Train your staff: Make your staff aware of cyber-security threats and how to deal with them. For example, The Government offers free online training courses tailored for you and your staff that take around 60 minutes to complete. You can encourage staff by holding learning sessions – lunch and learn for instance. Most security issues are based on ignorance, not malicious intent. Assume staff don't know all the answers and give them an environment to learn.”
Manage administrator privileges carefully: Avoid using an account with administrative privileges for normal day-to-day activities and web browsing. Accounts with lower privileges warn you if a programme tries to install software or modify computer settings thus allowing you to decide whether the proposed action is safe.
Don't store credit card data on servers: Into e-commerce? Consider using somebody like PayPal to handle payment processing and avoid the need to access customer's credit card details. Let your servers work for other parts of the business and let somebody else deal with the financial transactions.
Contributed by Andy Taylor, lead assessor, APMG International