If you’re an SME, cyber security might seem impossibly complex and filled with endless pitfalls.
But although there’s a lot at stake – with ineffective security measures potentially threatening your productivity, your bank accounts, and your employees’ and third parties’ personal data – the path to effective security needn’t be difficult.
In this blog, we explain everything that small business owners need to know about protecting their organisations and reducing the risk of security breaches.
Why cyber security presents unique risks for SMEs
The difficulties that small businesses face when addressing cyber risks can be separated into financial costs and their ability to gain expert advice.
When we talk about ‘cost’, there are several issues at play. First, there is the fact that many small and medium-sized enterprises lack the budget to invest in comprehensive defences.
Second, there are the costs that organisations occur as a result of a security incident. We’ll talk about the specific financial effects of this in more detail below, but it’s worth noting that the first issue clearly affects the other.
If an SME is reluctant to invest in in cyber security practices, it is more likely to fall victim and will experience exponentially larger costs as a result. In some cases, the damage will be insurmountable.
You cannot cut corners when it comes to cyber threats. However tight your budget, you must find a way to address cyber security.
That brings us on to the second difficulty that you face: gaining expert advice. The demand for cyber security professionals far outweighs supply, with one report claiming that there will be 3.5 million unfilled jobs in the industry by 2021.
Those with the necessary skills can therefore command a much larger salary, meaning small organisations are being priced out of the market.
SMEs’ best course of action is to look internally – offering existing employees the opportunity to move into a career in cyber security.
Those in an IT background are particularly suited to this career switch, because – although technology only encompasses one aspect of information security – there is a large overlap.
Why SMEs can’t ignore cyber security
Let’s now take a closer look at the repercussions that small organisations face if they don’t properly address cyber security.
- Business disruption
The first problem that you’ll run into is business disruption. An attack on your systems may paralyse your network or force you to close off parts of your business to make sure cyber criminals can no longer access your data.
In the time it takes you to investigate the cause of the breach and to get your systems back online, you will be unable to perform certain operations and are likely to experience a loss of production.
- Remedial costs and regulatory fines
Getting up and running again is only your first obstacle. If the incident was serious enough, you will need to contact affected customers as well as your data protection supervisory authority, which in the UK is the ICO (Information Commissioner’s Office).
Notifying customers alone can be an expensive and time-consuming endeavour.
You may have to set up helpdesks so that those affected can get in contact to learn more, or offer complementary credit checks.
In addition to this, the ICO may well decide that the incident was a result of a GDPR (General Data Protection Regulation) violation, in which case you are liable to receive a financial penalty and face legal action.
- Reputational damage
Finally, the incident might result in long-term reputational damage. It can be hard for organisations to retain customers’ trust – and that’s particularly true for small organisations – so you may experience significant customer churn.
According to CISO’s Benchmark Report 2020, a third of organisations said they experienced reputational damage as a result of a data breach.
Want to know more about keeping your organisation safe?
Download our free guide: Cyber Security 101 – A guide for SMEs.
Top threats to SMEs
According to Verizon’s 2020 Data Breach Investigations Report, 28% of data breaches involved SMEs. But what makes them so vulnerable?
Their biggest vulnerability is human error. Small organisations are far less likely than larger ones to have systematic staff awareness training programmes in place, meaning there is an increased possibility of someone making an avoidable mistake.
On a similar note, employees at small organisations are more likely to act maliciously – purposely using information in a way that’s detrimental to the organisation.
One reason for this is that smaller organisations are less likely to have monitoring tools to catch them in the act. For example, they might not have access controls installed, which would limit the amount of information that an employee could view.
Without it, any member of staff could steal sensitive information (perhaps with the intention of selling it on the dark web), and the organisation would be unable to tell who was responsible.
Another threat that small organisations in particular are vulnerable to is ransomware. This is a type of malware in which criminal hackers lock users out of their systems and demand money for a decryption code.
The most effective way to mitigate the risk of ransomware is to regularly back up your files to an external server. That way, should your systems become infected, you will be able to disconnect them, wipe the data and restore your information using the backups.
This process will take some time – anywhere from a couple of days to a couple of weeks, depending on the size of your operations. However, it will be much less expensive and disruptive, and is a far more prudent approach than paying a criminal and hoping that they keep their word.
Unfortunately, many SMEs don’t invest in comprehensive backup strategies, making them an ideal target for crooks.
What can you do to protect your small business from cyber threats?
Most small organisations know that they should be doing more to protect themselves, but it can be difficult knowing where to begin. That’s where our Cyber Security as a Service can help.
With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.
A version of this blog was originally published on 24 September 2020.