Small businesses are collectively subject to almost 10,000 cyber-attacks a day, according to new findings from the UK’s largest business group.
One in five (20%) small firms say a cyber-attack has been committed against their business in the two years to January 2019. More than seven million individual attacks are reported over the same period, equating to 9,741 incidents a day.
The annual cost of such attacks to the small business community is estimated to be £4.5 billion, with the average cost of an individual attack put at £1,300.
Victims are most frequently subject to phishing attempts, with 530,000 small firms suffering from such an attack over the past two years. Hundreds of thousands of businesses also report incidences of malware (374,000), fraudulent payment requests (301,000) and ransom-ware (260,000).
Those based in the North West, South East and West Midlands are most likely to be the victims of cyber-attacks, with 25%, 23% and 21% of small businesses in these areas reporting cyber incidences respectively.
One in three small firms (35%) say they have not installed security software over the past two years. Four in ten (40%) do not regularly update software, and a similar proportion do not back up data and IT systems. Fewer than half (47%) have a strict password policy for devices.
FSB Policy & Advocacy Chairman Martin McTague said: “These findings demonstrate the sheer scale of the dangers faced by small firms every day in the digital arena.
“The issue of business crime is overlooked too often – even more so of late in this climate of sustained political uncertainty and inaction. Meaningful steps must be taken to safeguard our small firms, and by extension the wider economy.
“More small firms are waking up to the threat of cybercrime. It’s a threat that’s evolving rapidly, but too many small businesses still lack access to the resources and budgets needed to contain it.
“The Government should be doing more to tackle this scourge by enhancing the current policing response – including investing more in cyber upskilling for police personnel as part of its wider recruitment push.
“There’s also a discussion to be had about whether tackling cyber threats should be handled entirely by specialists at the regional or national level, rather than local constabularies, building on the work of the National Crime Agency.
“Banks also have a role to play. They should be building in as much resilience as possible into banking and payments systems, and made liable for the losses of business – not just consumer – customers when they fall victim to cyber-crime.
“Software providers could also be doing more. Government should be prepared to step-in and require automatic patching and updates to be the default option for all software products.”