Cyber security is a critical issue for all businesses. However, unlike large organisations, small businesses often lack the resources (physical, human and financial) to cope with the challenge of becoming cyber secure. Instead, most of their attention is dedicated to commercial activities and winning new customers, leading to the dangerous negligence of emerging business risks, which, in the modern world, means cyber risks.
Small businesses are getting hit hard
Just like large organisations, small businesses rely heavily on technology and the Internet to perform their operations, which makes them vulnerable to cyber attacks and data breaches.
Cyber criminals are prolific and they are also indiscriminate. Today, it’s easier than ever to gain access to automated hacking tools, which means that everyone is a potential victim. But while a data breach can seriously damage the reputation of a large organisation and harm it financially, it can completely ruin a small business that is unable to meet the financial consequences that will inevitably follow.
Evidence suggests that small businesses are getting hit hard. According to PwC’s 2015 Information Security Breaches Survey (ISBS), 74% of small organisations in the UK reported a security breach in 2015, which is an increase from 60% in 2014. Moreover, breaches cost small businesses £75-£311k on average – an increase from £65-£115K a year ago.
With these statistics in mind, it is easy to see why small businesses urgently need to invest in cyber security, whether they like it or not.
Getting the basics right
If you are a small business, accepting that you are also a target of cyber criminals is the first important step towards cyber security.
The second step is to ensure that you are protected against basic cyber attacks. Small firms are not expected to have in-house cyber security experts, but they should look to security firms for help and any other support services.
Small businesses will benefit from a Cyber Health Check to help them identify their actual cyber risks, audit the effectiveness of their responses to those risks, and create a prioritised action plan for managing those risks in line with their business objectives.
10 Steps to Cyber Security
In its 10 Steps to Cyber Security framework, the UK Government identified 10 security areas that businesses need to review to protect themselves against the majority of cyber threats. They are presented in the infographic below:
Taking its cyber security strategy further, the UK Government developed the Cyber Essentials scheme, which provides guidance on implementing critical security controls as well as a method of demonstrating to clients and stakeholders that an organisation is secure.
Although the scheme is applicable to small and large organisations alike, it particularly benefits small businesses as achieving certification is both simple and affordable.
According to the scheme, the critical cyber security controls organisations need to implement are:
- Secure configuration – implement security measures when building and installing computers and network devices to reduce unnecessary vulnerabilities.
- Boundary firewalls and Internet gateways – provide a basic level of protection where an organisation connects to the Internet.
- Access control and administrative privilege management – assign special access privileges only to authorised individuals and provide the minimum level of access to applications, computers and networks.
- Patch management – keep the software used on computers and network devices up to date and resisting low-level cyber attacks.
- Malware protection – install and regularly update malware protection software.
If you are looking to achieve certification to Cyber Essentials but don’t have the internal knowledge or expertise, take advantage of IT Governance’s Cyber Essentials – Get A Lot Of Help package, which includes one day of on-site consultancy and the Cyber Essentials Documentation Toolkit, as well as the required CREST-approved vulnerability scans and certification.