Small businesses are increasingly becoming the target of cyber criminals who see them as a soft touch because they often neglect to put robust security measures in place.
If you are a sole trader or a small business, you may not think that your computer system is of interest to international criminals. However, your data and that of your customers is extremely valuable and a data breach could cause you huge financial and reputational damage.
According to the latest Hiscox Cyber Readiness report, 61% of firms have reported to suffer one or more cyber-attacks in the past year. Among firms reporting attacks, average losses associated with all cyber incidents have risen from £180,000 last year to £291,000.
A guide to keeping your data safe
National Cyber Security Centre has just updated its Small Business Guide. It covers all aspects of data security for SMEs, including backing up data, keeping computers, laptops and smartphones safe, protecting against malware and phishing attacks, and using better passwords.
It’s important for SMEs and sole traders to be aware of the simple steps they can take to protect themselves. If you employ staff, even if they work part-time, it is essential that they too are aware of the importance of following the guidelines as many data breaches are due to simple human error.
Why data security matters
Criminals are out to exploit any weakness in your security systems and SMEs can be a target because they offer a route into other, larger, organisations, says Del Heppenstall, a director of KPMG in the UK and a security expert with 20 years’ direct experience in Information and Cyber Security.
“Phishing, ransomware, malware – SMEs will receive these attacks indiscriminately,” he says. “Cybercriminals now do their own investigations and look at where an organisation is in the supply chain. They try to identify businesses that might be providing services to a bigger party. In this way, SMEs are often seen as a route into bigger organisations.”
This might be in the form of accessing your inbox and sending malicious emails to clients, who will trust the email because it appears to come from you. It might also cause you reputational and financial damage as a result, he says.
“Data breaches happen to companies of all shapes and sizes — they just don’t make the headlines,” says Bruce Penson, Managing Director of Pro Drive IT. If you are a service-led business – such as an accountancy practice – then this makes you an even more attractive target to hackers, as you are likely to hold masses of personal client data.
Without the resources of the big companies, you are unlikely to have as robust security measures in place to protect it. Cyber criminals know this.
“In the underground world of the dark web, it’s not just money criminals are after,” he says. “Data is extremely valuable too. So, if hackers can find a more straightforward way to access it, why wouldn’t they use it? Unfortunately, businesses like these are often seen as an easy and highly attractive target.”
It’s a big issue and one that could cost your business dearly — both financially and in terms of your reputation, he says. Plus, since the introduction of more stringent laws under GDPR, government advertising and several highly publicised cases, your clients will want to know theirs is safe with you.
“When it comes to cybersecurity, SMEs are the soft underbelly of the business world,” Paul Rose, CISO at Six Degrees. “In fact, SMEs are becoming an increasingly lucrative target for hackers. Social engineering and CEO fraud are a big problem, as SMEs often don’t have the same level of governance in place as large enterprises. And SMEs may also be targeted for their connections to a larger company – third party suppliers are often the weak link in an organisation’s cybersecurity chain.”
So what can you do? He says the first step is to acknowledge that the risk is real, and increasing. Then complete a risk assessment and create a cybersecurity strategy. After that, provide training to all staff so that they know how to deal with incidents, and have a plan if the worse happens and you need to respond to an incident or put business continuity plans in place.