Cyber attacks and data breaches are among the biggest risks currently facing small businesses, with a recent study by Jupiter Research showing that half have been victims in the last year.
Yet despite the growing threat, many SMEs still believe that they won’t be affected, with the same study showing three quarters feel they are currently secure and 86 per cent believe they are doing enough to protect themselves. Many also believe they are simply too small to be in danger.
It’s understandable that cyber security can drop down the priority list for small businesses, who lack the time, headspace, resources and security expertise of a larger company. Processes can get overlooked, warning signs missed, and before you know it, you’ve got a crisis on your hands.
With that in mind, here’s a list of the most common cyber security mistakes we see small businesses make. And most importantly, how to avoid them!
Putting a non-technical person in charge of security
One of the fundamental errors we come across is companies putting somebody with no technical expertise in charge of keeping their systems safe, which means they lack a thorough understanding of the nature of the risks, and how technology and processes offer protection. Cyber threats are numerous and constantly evolving so it’s crucial to have a dedicated expert who can manage the changing needs of the business. If you’re not ready to hire a CTO, and none of your existing team have technical expertise, consider taking on an external consultant to bridge the gap.
Lack of engagement from senior management
In contrast, many small business owners make the mistake of handing security over to an IT person and promptly forgetting about it, when in fact, to be effective, security requires buy-in from the whole organisation, starting at the top. Not only can senior management be one of the prime targets for cyber-attacks – in a type of phishing known as ‘whaling’– directors also have ultimate responsibility for protecting company and client data, and can be held personally liable if anything happens.
Bad password practice
I’ve lost count of the number of data breaches caused by poor password practice, whether that’s not updating them regularly, using the same passwords for numerous accounts, or choosing simplistic words and references. ‘Password1’, ‘123456’ and ‘companyname’ are all prime examples that should be avoided! Instead, use private, certificate-based authentication, or passwords which are changed at least every 60 days and that have a combination of letters, numbers and symbols – storing these in a secure password manager or keychain can help you remember them. Enabling two-step verification whenever possible can also provide an extra layer of defence.
Failing to engage employees
Whatever other security measures you have in place, the actions of your employees can undo your good work in an instant, with a recent study by IBM showing human error is responsible for 60 per cent of data breaches. Common mishaps include emailing an attachment which contains sensitive data to the wrong person, accidentally downloading ransomware from a suspicious link, or employees naively leaking data or company passwords.
The best way of tackling this issue is putting in place a cyber and data protection policy, outlining what is expected of employees and how to keep company data and systems safe. This can then form part of the induction and ongoing review process for all employees so they understand the risks and their responsibilities, while also demonstrating that the business takes data security seriously.
Not backing up correctly (or not at all)
Another hugely common error is failing to back up your systems correctly, so if your files are deleted or corrupted by an attack, there’s no way of restoring them. While more businesses are now implementing backup solutions, there is a tendency to ‘setup and forget’, so they don’t realise something has failed with the system until it’s too late. We recommend backing up your systems off-site, every day, as well as checking the quality of the backups periodically. There is nothing worse than having your systems compromised and then realising your back up is effectively useless.
Poor access controls
Another thing we find in small companies is that access details for systems and data can get passed around casually, so everybody ends up with the log-in to everything, often including administrator privileges. While this can make life easier, it can also make the chances of a cyber breach more likely, leave you exposed to disgruntled employees, as well as making it difficult to track down who’s responsible if anything does happen.
There are few occasions that warrant generic logins, so everyone should have individual logins, only for systems they need and only to the level they require. It’s better to start off with low access, and then build up as required, making sure any logins utilise employees’ work emails, which you have ultimate control over. Access levels should be tracked on an ongoing basis so that nobody has any log-ins they don’t need, then privileges should be automatically revoked and details changed when employees leave the company.
Failure to update software
We all get irritated by constant pop ups telling us to update our systems or software, but not doing so can actually leave you more vulnerable to an attack. Trusted patches and software updates, whether to your operating system, WordPress website or anti-virus software, often include vital security upgrades that will help defend against new and evolving cyber threats. Configuring automatic updates from trusted providers can make sure these are installed regularly.
No response plan
Last but not least, too many small businesses are slow off the mark and disorganised when it comes to identifying and responding to an attack, an issue that can greatly influence the amount of damage – physical, financial and reputational – that is suffered as a result. As soon as an attack or breach happens, you need to know who’s responsible for making decisions and setting a response plan in motion.
It’s also vital to know who you need to contact for legal, IT forensic and public relations advice, as well as how you’ll approach communicating with customers. Having cyber insurance in place can also be invaluable to cover any legal costs and compensation you have to pay, as well as your own out-of-pocket expenses as a result of an attack.
Cyber security is one of those areas where you often don’t understand the value of taking certain precautions until it’s too late – and then you wish you’d done more! So remember – a few simple steps now could save you and your business a big headache further down the line.
Ben Rose is insurance director and co-founder of Digital Risks.