Many small businesses aren’t adequately prepared for a cyber attack despite a rise of incidences, according to Hiscox.
The firm surveyed 5,400 companies across seven countries, assessing cyber security strategy and execution then ranking them accordingly. More than three out of five firms (61%) report one or more attacks in the past year, up from 45% since last year’s report. Few were considered ‘expert’ when it comes to cyber security readiness; in fact, 74% were deemed unprepared “novices”.
The number of attacks is on the rise too. Over half (55%) of businesses faced an attack in 2019, up from 40% last year.
Shira Stieglitz, head of content and research at Website Planet, says:
“Fraud is an industry that has been built off the sloth-like adaptation of businesses to the digital era and this will be costing the UK billions of pounds a year.
“The problem will only get worse, as those responsible are emboldened by a parallel boom in how much these cyber attacks are worth to them. In the UK at the moment – crime pays.”
Small businesses at risk
Larger firms are still the most likely to be hit by a cyber attack, but the proportion of small firms reporting an incident is up from 33% to 47%.
Gareth Wharton, head of Cyber at Hiscox, said that Britain’s low spending on cyber security could be driven by the large number of small businesses in the country.
“They may feel like they won’t be targeted as we tend to only read about large breaches in the press. If they incorrectly feel they won’t be targeted, they may be less likely to spend on cyber security,” he said.
Supply chain incidents are on the up too with almost two thirds (65%) having experienced cyber-related issues in their supply chain in the past year. The worst-affected sectors are technology, media and telecoms (TMT) and transport firms.
The good news is that the majority of companies (54%) now evaluate the security of the supply chains at least once a quarter or on a more ad hoc basis.
What’s more, the majority (80%) of continental European firms said they made cyber security changes following the introduction of GDPR last year.
SMEs in the cyber attack crosshairs: top tips to avoid a breach
A lack of time and specialist knowledge means that many SMBs think suffering a security breach is inevitable – but it doesn’t have to be.
Jason Howells of Barracuda Marketing explains what you can do to save yourself from a data breach.
The majority (86%) of SMBs don’t feel they can defend themselves from cyber breaches, according to Ponemon statistics. Most now know that they are tempting target to cyber criminals. The problem is that these businesses don’t have the correct protective measures in place to defend themselves.
The main reason for this lack of action is uncertainty. According to the CFC, SMBs ‘don’t know where to start’ when it comes to cyber security. But this excuse simply doesn’t cut it in today’s hazardous climate: an SMB without cyber defences is a sitting duck for cybercriminals and SMBs are certainly not immune from significant financial loss caused both directly by attackers and by penalties imposed by regulators.
Aware of the inevitable, we’ve seen many SMBs adopting a “we’ll deal with a breach when it happens” stance, accepting that they will just have to take the hit of either restoring their IT systems or paying criminals to regain access to their data or files.
But this approach assumes cybercriminals are honourable and will release their grip – and won’t be back for a second bite sometime soon. SMBs will also need to factor in the hours of lost workforce productivity, loss of customer confidence and reputational damage.
While some SMBs rationalise that cyber attacks are now just part and parcel of doing business today – believing that bearing the brunt of a ‘one off’ expensive digital currency payment to regain access to their network or data is cheaper than paying for data protection services – the true impact is much more significant.
After all, the overall outlay from a breach includes any payments to regain data, breach reporting, potential regulatory fines, downtime and any system repairs.
Guarding against cybercrime – SMEs ignore the basics
According to the UK government’s Cyber Security Breaches Survey 2016, 51% of medium-sized firms detected one or more cyber security breaches in the last 12 months, 68% of which were virus, spyware or malware-related.
Despite this, only 29% had a formal written cyber security policy, just 10% have a formal incident management plan and only 25% had set security standards for their suppliers.
Worryingly, just 22% of small and 38% of medium-sized firms had delivered cyber security training to staff in the last 12 months. Given that humans really are the first line of defence in many cyber attack situations, this last stat is particularly worrying.
The report also reveals that cyber security is often viewed as just an IT issue – with senior business managers having little or no visibility of best-practice standards or company-wide approaches and issues. With no specialist staff on the payroll, all too often generalist IT staff are left holding the cyber security baby.
Taking action on cyber security – the five-step plan
Dealing with the fast evolving threat posed by cyber attacks should be a priority for SMBs, who should take appropriate actions to ensure best-practice standards are in place:
1. View cyber security as a business performance or compliance issue and not exclusively an IT problem
IT security needs a centralised approach with clear accountability. Key individuals, including board members, need to champion the issue, enabling an organisation-wide staff culture that emphasises customer confidentiality and good data management.
2. Understand the risks
A risk assessment is the critical starting point for identifying specific risk exposure and putting solutions in place. This process should include an accurate assessment of the direct costs involved in dealing with a breach as well as the knock on effects of a breach on the wider business.
3. Implement security best practices
Prepare written cyber security policies and formal incident management processes; user education and training are also key. Many SMBs don’t realise that their IT service providers can probably assist them with getting these essential policy documents and education programmes up and running.
4. Data protection
Data should be kept safe from prying eyes with data encryption rules that can secure cloud-based backup systems and private data stores.
5. Partner with a managed service provider
This can help fast-track the implementation of security best practices and technologies to minimise risk. Specialist providers can help pinpoint potential vulnerabilities and prepare an informed strategy that reduces the risk of a successful attack.
Choose service providers that are able to work the way you do – whether you have cloud applications like Office 365 or want extra protection from next-generation firewalls, for example.
Jason Howells, EMEA director, MSP Solutions at Barracuda Networks.