Cyber-attacks are surging and small and medium sized enterprises are easy prey for hackers. Joe Collinwood, CEO at CySure outlines why being cyber aware is a business necessity for all organisations
Small businesses in the UK are the target of an estimated 65,000 attempted cyber-attacks every day, according to new figures[i] from specialist global insurer Hiscox. According to the insurer, cyber security incidents cost the average small business £25,700 in direct costs such as ransoms paid and hardware replaced. However, indirect costs such as damage to reputation, the impact of losing customers and difficulty attracting future customers can be devastating. Complacency can cost SMEs dearly; the US National Cyber Security Alliance[ii] found that 60 percent of small firms go out of business within six months of a data breach.
In a rapidly evolving landscape of cyber threats it is vital that SMEs understand the risks and act fast or risk business failure due to a lack of a robust cyber security strategy. Here are three reasons why SMEs need to get cyber savvy:
1. Supply chain cyber security
Many organisations often rely on a vast network of agile SME suppliers and partners. However, with so many prolific data breaches occurring due to flaws in third-party partners, SMEs are coming under increasing pressure to prove their security credentials – or risk missing out on lucrative business opportunities.
Small companies make easier targets for attackers as they often don’t see themselves as a target and fail to sufficiently invest in having robust cyber security measures in place. However, for supply chains to work effectively they require every organisation involved to communicate within a central system to avoid issues such as inaccurate inventory reporting, unexpected shortages and supply chain fraud. With information and security arrangements shared across the open supply chain, the cyber-security of any one organisation within the chain is potentially only as strong as that of the weakest member.
A determined attacker will stress test the security of a supply chain, seeking to identify the weakest link and use any vulnerabilities present to gain access to other members of the chain. Whilst not always the case, it is often SMEs with their limited IT expertise and resources, that have the weakest cyber-security arrangements. Once an attack has been successful against an SME supplier, attackers can then leverage their access as an entry vector into the larger network.
2. GDPR – it’s not been and gone!
The headlines that accompanied the launch of the General Data Protection Regulation (GDPR) in May 2018 may have subsided but the legal obligation hasn’t. Although termed regulation, GDPR is enshrined in law and all organisations, regardless of size, need to ensure they meet their obligations.
However, some SMEs are continuing to bury their heads in the sand and who can blame them given the constant negative focus on GDPR. There is a lot of misinformation out there but what hasn’t been fairly represented are the business benefits. The real driver for adopting new GDPR compliance principles should be to make business more efficient, secure and competitive.
To become compliant organisations must have a comprehensive understanding of their data, which provides SMEs with the opportunity to better understand their customer. With data cleaned up employees can be more productive and efficient through working with accurate, easily searchable and accessible data. Customers are the lifeblood of a modern digital business, by improving data management organisations can unlock the value within their data and improve performance.
3. Demonstrate commitment to effective cyber security
SME’s can protect themselves against cyber-attacks and mitigate the risk of being excluded from supply chains by undertaking a certification process. Cyber Essentials Plus is a UK government and industry backed scheme to help all organisations protect themselves against common attacks. In collaboration with Information Assurance for Small and Medium Enterprises (IAMSE) they set out basic technical controls for organisations to use which is annually assessed. The aim is to ensure that companies can understand their cyber risks, implement appropriate cyber defences, meet minimum cyber security standards without hindering business and share best practice.
By displaying the Cyber Essentials badge on its website, an SME can demonstrate to customers, partners and investors their commitment to cyber security. This is particularly beneficial for organisations that are storing personal information on customers and employees, or hosting commercially sensitive data. Through certification, SMEs can proactively provide sufficient guarantees that regulatory requirements will be met and the rights of data subjects protected.
Staying safe in a connected world
SMEs have an inherent advantage over larger companies, their agility enables them to be flexible and adjust to changes quickly. The lack of red tape and corporate complexity means they can act and adapt fast. By giving cyber security the same priority as other business goals, SMEs can maintain their advantage and thrive in the new digital age. Yet, according to the 2018 Cyber Security Breaches Survey[iii], 25% of SMEs have no cyber security governance or risk management measures in place.
Cyber security need not be prohibitively expensive, SMEs need to seek solutions matching their size and needs, and not necessarily the same solutions used by a big organisation. By utilising an online information security management system (ISMS) that incorporates Cyber Essentials Plus, SMEs can undertake certification guided by a virtual online security officer (VOSO) as part of its wider cyber security measures. By navigating their way to compliance SMEs can look forward to the benefits of legislation through competitive differentiation and a new business culture that cherishes customer privacy and third-party relationships.