Jason Howells
Inertia and a lack of time or specialist skills means many SMBs remain woefully underprepared for a cybersecurity breach
Juggling a multitude of daily business and operational challenges, it’s no surprise that cyber security often slips down the SMB agenda. But as the Verizon 2016 Data Breach Investigations Report reveals, one-third of businesses that experienced data loss from a cyber attack in 2015 were SMBs.
Despite acknowledging news stories about attacks on large corporations and big brand names, SMBs often have a misplaced belief they are too small to present a tempting target. But with fewer defences, SMBs represent rich pickings for digital attackers. Indeed, according to the UK’s Federation of Small Business (FSB), smaller businesses are collectively attacked seven million times a year, costing the UK economy an estimated £5.26 billion.
In response, some SMBs have adopted a ‘we’ll deal with it, if and when it happen’ stance, accepting they will just have to take the hit of paying criminals to regain access to their data or files. But this approach assumes cybercriminals are honourable and will release their malware grip – and won’t be back for a second bite sometime soon.
It also ignores the reality that the cost implications of an attack extend way beyond the ransom payment itself. SMBs will also need to factor in the hours of lost workforce productivity, loss of customer confidence and reputational damage.
While some SMBs rationalise that cyber attacks are now just part and parcel of doing business today – believing that bearing the brunt of a ‘one off’ $300 to $600 digital currency payment to regain access to their network or data is cheaper than paying for data protection services – the true impact is much more significant.
Indeed, the combined outlay related to breach reporting, regulatory fines, organisation downtime and system repairs means the average cost of a data breach is now estimated to be around $36,000.
Guarding against cybercrime – SMBs ignore the basics
According to the UK government’s most recent Cyber Security Breaches Survey 2016, 51% of medium sized firms detected one or more cyber security breaches in the last 12 months, 68% of which were virus, spyware or malware related.
Despite this, only 29% had a formal written cyber security policy, just 10% had a formal incident management plan and only 25% had set security standards for their suppliers. Worryingly, just 22% of small and 38% of medium sized firms had delivered cyber security training to staff in the last 12 months.
The 2016 security breaches report also reveals cyber security is often viewed as just an IT issue – with senior business managers having little or no visibility of best-practice standards or companywide approaches and issues. With no specialist staff on the payroll, all too often generalist IT staff are left holding the cyber security baby.
Taking action on cyber security – a 5-step plan
Dealing with the fast evolving threat posed by cyber attacks should be a priority for SMBs, who should take appropriate actions to ensure best-practice standards are in place:
1 View cyber security as a business performance or compliance issue and not solely an IT problem – IT security needs a centralised approach with clear accountability. Key individuals – including board members – need to champion the issue, enabling an organisation-wide staff culture that emphasises customer confidentiality and good data management.
2 Understand the risks – a risk assessment is the critical starting point for identifying specific risk exposure and putting solutions in place. This process should include an accurate assessment of the direct costs involved in dealing with a breach as well as the knock on effects of a breach on the wider business.
3 Implement security best practices – prepare written cyber security policies and formal incident management processes; user education and training are also key.
4 A comprehensive approach to cyber security should include advanced approaches like data encryption rules to secure cloud-based backup systems and private data stores.
5 Partner with a managed service provider to fast-track implementation of security best practices and technologies that minimise risks. Specialist providers can help pinpoint potential vulnerabilities and prepare an informed strategy that minimizes the risk of a successful attack.