We spoke to experts from across the industry to put together Cybersecurity: the small business guide.
According to UK government stats 31% of micro and small businesses in the UK identified breaches or attacks in 2019. 19% of these business lost files or network access and 10% had their website slowed down or completely taken down. While cybersecurity is climbing the list of business priorities, SMEs are still behind their bigger counterparts when it comes to getting their security in place.
“Cyberattacks are one of the main threats to businesses across the UK – in fact, the British economy loses £27billion per year to cybercrime” explains Ewan Kinnear, head of mid-corporates at Bank of Scotland, “while big businesses have processes in place to relieve the strain of attacks, many SMEs don’t. This means losses from cybercrime could be even more significant and impactful on smaller firms.”
“Unfortunately, criminals will always try to exploit businesses. The most important thing they can do is to make sure that employees from the boardroom to the shop floor have a robust understanding of cyber protocols by receiving relevant training,” concludes Kinnear.
Understanding what’s at risk within your business
As a starting point, it’s important to understand where the risk lies within your business, and that means both how hackers might try to get in, and what they will be looking to take once they are there. Peter Bradley, CEO at Torsion Information Security, explains that “confidential information is the life blood of any organisation and if it falls into the wrong hands it effects customers, employees and management – cybersecurity is the practice of protecting that information”.
“Employees are the weakest link when it comes to a businesses’ network security”, suggests Nigel Allen, Marketing Director, ASL Group, “inadvertently or maliciously, employees open phishing emails, connect unauthorised devices and take other actions that leave their businesses vulnerable to attack”.
Even everyday office technology could allow attackers a way into your business – research by Quocirca found that unsecured printing is severely impacting data security; some 63% of enterprises reported a print-related data breach, and the risk will be there for small companies too.
“They say; “There is no such thing as a computer error, only humans make mistakes” – the point being that for organisations who do not run websites, the end-user is most at risk from phishing and malware. Where a web application or mobile app is revenue-generating, or holds customer data, those systems are built and maintained by humans. Both should be monitored by security experts and security should be at the forefront of everyone’s mind,” summarises Dan Pitman, principal security architect at Alert Logic.
Small business cybersecurity best practice
While most news stories around cybersecurity may seem incredibly complex, our experts outlined a straightforward range of steps that SMEs should be taking to keep their businesses secure.
Bradley, explains how businesses can approach keeping their data secure:
“Firstly know who has access to what data at any given time – this can be done through a series of manual processes or by using the latest automation software; Next prove your processes – go that extra mile and prove that you know not only who has access to what documents but also the reasons why somebody has access to a specific piece of information; Finally regularly certify access – businesses should carry out periodic security certifications, by asking business users to certify that access to the information they are responsible for is correct.”
With technology costs rapidly rising for businesses however, many SME owners may be reluctant to invest in untried and untested systems that they’re not confident they understand. Allen, however, argues that cybersecurity doesn’t need to be expensive – “investing in anti-malware software, using a firewall, enforcing safe password practices, as well as regularly backing up all data are all simple, yet affordable steps that can be taken to protect against a cyberattack.”
While many employees and managers may consider data leaks to be primarily a consumer problem, Bulletproof’s Oliver Pinson-Roxburgh recommends that password strength is just as important in the business world. “Make sure users use strong passwords and don’t reuse passwords. With so many large-scale data breach leaks happening, the chance of someone’s business passwords being the same as private ones, and that password being leaked during a breach, is highly likely (take the LinkedIn leak from a few years ago for example).”
Understanding who should be responsible for cybersecurity
Of course, small business owners can be aware of the importance of cybersecurity as well as best practice but finding the time to manage and implement it is another question. We asked our experts to help identify where responsibility for small business cybersecurity should lie within a business.
“Responsibility for cybersecurity is one of the main challenges for small businesses,”, confirms Alert Logic’s Pitman, “accountability for ensuring security awareness is high for employees, and security is a priority for projects. Operational delivery of services rests with leadership in small businesses, but in the modern world businesses of most sizes do not need to hire and retain security experts to maintain a good security posture. From training to monitoring, security services can be bought in at reasonable costs from third-parties.”
For Bradley, the escalating complexity of cybersecurity means it’s just not a task that lies in one area, “info security needs to engage all business users and become everybody’s problem and responsibility. All staff need to be made aware of how to handle information safely and securely, how to spot incidents and what to do in the event of a breach.”
Preventing attacks on your business
Whether through an outsourced company or being driven by the leadership team, there are a range of steps that small businesses should be putting in place to prevent an attack.
Given that employees are a key weakness in your cyber defences, it’s no wonder that getting them trained in best practice is a key first step. Pitman explains businesses need to “educate staff; continuous education using relatable and real-world examples, beyond the ubiquitous annual security awareness training, is a must – a reminder of how to recognise spam or a phishing attempt once a year is not enough. Something as simple as posters in the office or on intranet sites reminding employees of tips and tricks for how to spot malicious emails and files will result in a significantly better result.”
However, Oz Alashe, CEO of cyber security awareness platform, CybSafe, says that while a good first step training needs to be improved to be really effective. “It’s clear that training alone doesn’t work because, in most cases, it focuses solely on awareness. Awareness is all well and good, but increased awareness by itself is not enough. Just because people are ‘aware’ of cyber risks doesn’t mean that day-to-day, they will behave in a more secure way. It needs to focus on changing behaviour and building a supportive security culture simultaneously.”
Alex Bransome at Doherty Associates has a useful analogy to put the challenges of modern cybersecurity into context, “the front door of security used to be considered the firewall, the gateway between your internal trusted users and the internet, which in security is considered untrusted. Now, the front door is everyone within the organisation that has a username and password.”
Bransome believes that this has been one of the trade-offs from technology like the cloud. “With the rise and use of cloud services, everything is just a URL away, as the user logs on to gain easy entry to the organisations’ data via cloud storage and service facilities. While these advancements are highly beneficial for increased business productivity, without the correct security manning your front door, potential hackers are just a username and password away from accessing vital information that can disable the entire organisation. Implementing strong ‘access controls’ – which regulates access to internal resources – is important for minimising risk but ensuring everyone has the information they need to do their job at speed.”
…and if you are hit by an attack…
“If you are the victim of a cyberattack, do something about it!” says Ian Reynolds, Director of SecureTeam, “66% of businesses that are victims of cyber attacks make no effort to prevent further breaches, which might be why 56% of small businesses that do suffer cyber attacks go on to be hit again. If you are a small business owner that suffers from a cyber attack hire a cybersecurity consultant to help ensure it doesn’t happen again.”
Top three small business cybersecurity tips
1) Start with your team
Justin Young, Director of Security & Compliance at Advanced.
“Invest in the right people and they can be a company’s strongest link. This means training them and enabling them to do things in a secure manner. Get to know your organisation’s assets and work out what skills you have in-house to manage the basics.”
2) Use technology to do the heavy lifting
Peter Bradley, CEO at Torsion Information Security
“It’s important to remember that that nearly half of security incidents are internal, the majority (around 65%) of which are completely accidental. They are most likely to be a result of haphazard, spiralling sharing of data through collaborative systems such as Sharepoint, Office 365 or Microsoft Teams. Using the right technology to automate the business process of internal file and data sharing would eliminate the majority of human error when it comes to cyber security.”
3) Bring in the experts
Dan Pitman, principal security architect at Alert Logic.
“Outsource security monitoring to a managed detection and response vendor with endpoint detection and blocking capabilities is a no-brainer these days. Security management adds revenue for very few businesses, so follow a buy-not-build approach.”