According to the latest business population estimates released by the government earlier this month, there were almost 5.82 million small businesses in the UK at the start of 2019. Unfortunately, that means there are a lot of businesses for hackers to target with a myriad of cyber attacks.
What can small businesses do to minimise the risk they face? How can you keep your business secure, without spending your entire IT budget on expensive solutions? We turned to experts from the cyber security industry to find out.
Understanding the unique challenges of small business cyber security
Brian Craig, legal director at UK law firm TLT says: “SMEs can be seen as easy targets by hackers, who may assume a small business lacks the resources, technology and specialist knowledge to protect itself against an attack.”
According Steve Kingan, chairman and CEO at cyber security specialists Nexor, there are several factors that make small business security particularly challenging, “small businesses are less likely to have dedicated cybersecurity resources to protect their businesses and more likely to be reliant on outsourced suppliers and software for their IT needs.They are also less likely to have an adequate cybersecurity budget, resulting in weakened security coverage.”
Given the large number of SMEs in the UK, Simon Eappariello, SVP Product & Engineering, EMEIA at iboss, thinks it’s as much a numbers game as anything else, “SMEs make up around 99 per cent of all businesses operating in the UK, and as such provide the largest target area when cyber criminals look for victims to exploit through their various methods of cybercrime. SMEs often operate their business without dedicated cyber security resources, and have less resources to dedicate to cyber defence and staff awareness training for example.
However it’s not all bad news, Eappariello thinks that SMEs could also turn their size into an advantage, “although on the flip side SMEs also have less complex and often less distributed environments to protect.”
Know where your business is vulnerable to cyber attacks
Whether you are an office-based, shop-based or any other kind of small business, it’s a fact of life that technology will be present in almost every part of your business. Much like putting more windows on a house, the rise of technology means that there are more ways for hackers to try and get into your business.
Alex Bransome, CISO at Doherty Associates explains, “Statistically the most common threat delivery mechanism is email. Small businesses are particularly vulnerable to this and several other attacks due to a general lack of security awareness and training”. “Another aspect of an SME’s business which makes them potentially vulnerable is their reliance on third party applications and web services,” adds Patrick Martin, Head of Threat Intelligence at Skurio.
According to Marek Ostafil of Cyberus Labs, it’s not necessarily your business that is the primary target, “every element of SMEs activity can be tempting for hackers, and it depends on the market or industry the SME is working in. But even if we are not working in “sensitive” industries we still can be used as a tool to attack others.”
One particularly concerning areas for small teams is the threat of insider attacks, carried out by team members or close associates who often experience deeper levels of trust within small business.
According to Peter Bradley, CEO at Torsion Information Security, SME owners should think about this type of threat differently.
“It tends to occur at granular level, one document-at-a-time – not entire systems or networks at a time. This means that effective solutions (and useful conversations about them) are much closer to the business than they are to the IT teams responsible for technology. Our most vulnerable systems are those which store the documents – our collaboration, cloud storage and file sharing systems such as Microsoft 365, Sharepoint, FileShares or Microsoft Teams.”
Insider attacks are thought to be responsible for almost a third of attacks,i – the Verizon 2019 Data Breach Investigations reported that 34% of all breaches in 2018 were caused by insiders. “Insider incidents have a much higher likelihood of actually occurring, and often go undetected for months. Our tendency to focus on stopping ‘the big incident’ overlooks the fact that the sum total impact of the smaller incidents, occurring on a regular basis, can have a far greater negative impact on the business,” concludes Bradley.
According to research from LastPass, a password management solution, sharing passwords within small teams is also a major problem. The LastPass Global Password Security Report, found that password sharing and reuse remains a common practice in most businesses. Employees reused one password an average of 13 times. An overwhelming number of passwords is a key factor, with SME employees having an average of 85 passwords to manage.
Do you need a full IT team for cyber security?
Sonia Blizzard, managing director of Beaming, a business ISP, doesn’t think you need to pay for a full IT team in order to secure your business. “There are lots of cyber security solutions out there that are built for small businesses, so you don’t necessarily need a full IT team, but you do need to take the threat seriously and you do need to educate employees to ensure they don’t expose your business to undue risk.”
Marek Ostafil says, “it’s not necessary to have a full IT team if your cybersecurity supplier provides good customer service. But, if you do have an IT department, you need to work closely with them to look for the most efficient solution – and it might not always be that the most well-known solution on the market is the best.”
According to Dan Pitman, principal security architect at Alert Logic, being agile and adaptable should be an advantage for small companies, and that bringing on board a cyber security service can balance the need for a permanent team.
“Forward-looking SMB leaders know that they are in a better position than large enterprises to take advantage of the agility and adaptability of their organisations and are seeking new ways to be cost-effective in how they address cyber risks and respond to attacks. Implementing continuous, 24×7 experts via a managed service will help to identify and blunt successful attacks against vulnerable or aging which can’t be upgraded.”
The business advantages of being secure
With teams already under pressure, a key concern for both employees and managers is that what you gain in security you risk losing in productivity, and your team’s ability to get the job done. This shouldn’t be a cause for concern according to the industry.
Ed Williams, director EMEA, SpiderLabs at Trustwave explains, “I don’t believe that security is a burden, far from it, in fact the advent of the cloud is a perfect example of a business-enabler. Yes this does come with enhanced risks, but these can be managed and negated with appropriate controls; people, process and technology allows businesses to be far more productive, flexible and agile.”
This lies in a misconception about how people view security according to Ostafil, “cyber security is still very often considered as something that we are forced to use – especially among SMEs. The attitude ‘who would ever attack an SME?’ is the problem.”
Getting your team on board
With so many threats against your business, it’s vital that you have everyone onside and working to protect the business. Sonia Blizzard thinks this is especially true when getting your team to own up to mistakes which might have made you vulnerable, “businesses need to cultivate a culture in which the fear of falling victim to cybercrime is greater than that of owning up to mistakes that could potentially compromise the company. This way your business stands a better chance of being able to get ahead of a potential breach and limit its impact.”
For Peter Bradley, responsibility has moved far beyond just the IT team. “The set of people who need to be responsible is broadening in that the business requires the cooperation and engagement of all staff members in order to keep information secure. The IT team can only ever have so much visibility of the detail in terms of what information exists, what’s sensitive, what’s not, who has access to it, who doesn’t and so on. Sometimes the people in the business need to be engaged in making those decisions and keeping those decisions up to date and accurate. The good news is that technology now exists to facilitate that engagement in a highly automated way, running in the background and causing minimum disruption to day to day business users”.
For Brian Craig training and culture change is also key, “the digitalisation of business has meant that employees have greater access than ever to key business data. Improving employees’ ability to detect suspicious behaviour can identify outside hacker attacks and malicious insider threats. This could include rolling out training to help identify phishing or more targeted spear phishing attacks, or addressing employee reticence to report suspicious behaviour to help thwart internal threats.
For Alex Bransome, making security a priority will always be a challenge. “Getting people on board can be a challenge. The interests and concerns of the business in relation to IT security are not always top of everyone’s personal agenda.” Instead, he thinks you should make cybersecurity training a benefit for them too. “I believe that a better method to deliver security awareness and best practice training more effectively, is when it’s communicated to our people as not only about protecting the business interests, but also about providing them the skills to protect themselves, their children, family and friends from online attacks, fraud and data theft. This then works both ways, as if good security practices are being followed at home, they are much more likely to be echoed in the workplace.”
“There isn’t a silver bullet that enables a business to completely protect themselves against hackers, but there are multiple defensive actions that will help,” concludes Steve Kingan, “focusing on doing the basics well, by thoroughly implementing ‘cyber essentials’, is an excellent starting point for any business.”
Cyber security top tips
Brian Craig, legal director at UK law firm TLT:
“Cybercriminals are deploying increasingly sophisticated technology, including AI, to launch attacks. Investment in the right protection systems is crucial, but so is having a defined approach to both preventing and responding to attacks. Having a simple framework in place will not only help defend against cybercrime, but will also demonstrate to clients that you take their data protection seriously.”
Jon Fielding, managing director EMEA of Apricorn:
“Cyber attackers favour a simple, straightforward approach, and SMEs should take a leaf out of their book. Whatever the size of the company, the best cybersecurity defence doesn’t involve implementing costly, sophisticated solutions, but instead following three fundamental steps.
“First, the business needs to get a comprehensive understanding of its current security posture, reviewing all security processes and policies against compliance guidelines and best practice, and addressing any gaps by updating or creating policies as necessary. Next, all employees should be educated in the risks and consequences of data breaches, and trained in the practical skills and knowledge they need to keep data secure.
The last line of defence is to mandate and enforce the encryption of all data, both when it’s at rest and on the move. To support mobile working, the business should mandate the use of removable storage devices that feature strong hardware encryption. These will automatically encrypt all information written to them, locking it down so it cannot be accessed by unauthorised individuals if the device ends up in the wrong hands.”
Tom Martin Ball – Lead Auditor at Alcumus:
“By far the best way of taking control of cyber security is through the use of management systems. The holy trinity when it comes to cyber security includes: Information Security Management, Business Continuity and IT Service Management. There are specific standards for these areas, which help ensure that businesses have systems in place to protect their organisation against attack, limit any damage and get back up and running as swiftly as possible.”
Rahul Powar, CEO and co-founder – Red Sift
“Eliminate email threats: 91% of all cyberattacks start with email, so get a hold of anti-phishing mechanisms such as the DMARC protocol that allows you to ensure that emails you send and receive are verified. Without the protocol an employee is unable to distinguish a genuine email from a spoofed one and can be lured into sharing data that causes a significant loss for the company.”