Joe Collinwood, CEO at CySure cuts through the jargon with 5 simple steps for small businesses to develop a cyber security plan.
The new digital economy presents huge growth opportunities for small and medium businesses. However, with cyber threats increasing daily, it is vital that businesses understand how to protect themselves.
Cyber security, data security and digital defence are all referred to in the world of information technology (IT). However, whatever it is called, the facts remain the same – organisations have information the bad guys want. A report from the Federation of Small Businesses (FSB) found that cyber crime is financially impacting small businesses disproportionately more than big businesses when adjusted for organisational size. The report[i] revealed that SMEs are attacked seven million times per year, costing the UK economy an estimated £5.26 billion.
Being small is not a cloak of invisibility. In fact, SMEs are a more attractive target to hackers because of their size. Most cyber attacks are financially motivated and SMEs are seen as soft targets with few security barriers, limited cyber security tools and little or no in-house expertise. No business is too small to be a target, however, with the right approach every business can take steps to protect itself. Here are 5 key elements to keeping digital defences strong and creating a cyber security plan:
1. Assess your current security status
Unless you know the risks, it is almost impossible to mitigate them, so the first step is to carry out a cyber security assessment. It’s worth taking the time and seeking the right tools to assist with this task as a poorly executed assessment can still leave organisations vulnerable to attack.
2. Train your greatest asset – your people
Employees are the first and best line of defence but can also be the biggest risk. Cyber Security Awareness Training equips employees with the knowledge and skills they need to protect themselves from criminal elements. By introducing cyber security awareness and training to all employees, businesses heighten the chances of catching a scam or attack before it is fully enacted, minimizing damage to the brand and reducing the cost of recovery.
3. Prioritize data security
Once you have been made aware of potential threats and vulnerabilities through an assessment, addressing the risk is the next critical step. With the introduction of the EU General Data Protection Regulation (GDPR), small businesses now have the same responsibility as large businesses to protect sensitive data. Regardless of size, if your business handles personal customer and employee information then data protection laws apply. Failure to comply with regulations could result in a potential hefty fine from the Information Commissioner’s Office (ICO) and a damaged reputation.
4. Develop an incident response plan
Incident response management is a key requirement of the GDPR, Article 32 states that organisations must take necessary technical and organisational measures to ensure a high level of information security. An incident response plan should focus on the critical assets identified in the assessment and the potential risk. It should contain the policies, procedures, governance and technological controls needed in order to continue operations after an incident has been discovered. There needs to be a communication plan in place to ensure that relevant people and organisations will be informed of any incidents.
5. Cyber insurance – ensure you are covered!
Investing in cyber insurance provides the additional support should there be disruption to your businesses, or if there are costs involved with data loss or replacement of equipment. Accessing specialist services at short notice to help stop an attack can be expensive, not to mention the costs to get your business back on track as soon as possible. Not all policies are created equal, businesses should seek a policy that offers the support they need should a breach occur, including financial assistance to help with paying any associated fines and managing company reputation. .
Small steps for big results
Businesses need to get proactive, the smallest of steps can deliver big results and you don’t have to go it alone. Cyber Essentials Plus is a government and industry backed scheme to help organisations protect themselves again common cyber-attacks. In collaboration with Information Assurance for Small and Medium Enterprises (IAMSE) it sets out basic technical controls for an annual assessment. Being compliant is said to mitigate 80% of the risks faced by businesses such as phishing, malware infections, social engineering attacks and hacking. By using an online information security management system (ISMS) that incorporates Cyber Essentials Plus, businesses can undertake certification, fully guided by a virtual online security officer (VOSO), as part of its wider cyber-security measures.