Small business cyber security – everything you need to know

Guide to cyber security for small businesses

Almost three quarters (73 per cent) of small businesses lack the capability and expertise to withstand a cyber security attack, according to research from security operations firm Arctic Wolf.

This comes at a time when cyber threats are becoming increasingly sophisticated and businesses are more vulnerable as a result of the Covid-19 pandemic. Our simple guide will help you on your way to protecting your business.

• What is cyber security?
• Why is cyber security important?
• Understanding 'alert fatigue'
• What is a cyber attack?
• How to prevent cyber attacks
• How can cyber insurance help?
• Impact of the pandemic on cyber security

What is cyber security?

Cyber security is the act of protecting the devices and online services we use from theft or damage. This includes smartphones, laptops, tablets and computers, as well as preventing unauthorised access to the personal data you store about your customers.

You may think cyber security is only for large multinational businesses, but it’s vital for all businesses.

Perhaps you have an online shop, collect data from your customers, or take online payments and store credit card details. All this information is vulnerable to cyber attacks and data breaches.

Along with a thorough cyber security policy, you should also have a website privacy policy that outlines how you collect and store data.

Why is cyber security important?

As we’ve mentioned, cyber security is important for protecting your business from online threats like theft, extortion and damage. Potential hackers may try to gain unauthorised access to personal information, passwords, intellectual property, financial data, or sensitive data to cause harm to your business.

Financial loss, data breaches, and reputational damage are just some of the risks of a cyber attack.

If your business has reached a certain size, you might consider hiring a cyber security analyst.

Julia Studholme, Cyber Security Analyst at Simply Business, says:

“Now, more than ever, cyber security is at the forefront of organisations of all sizes. Cyber attacks are routinely front-page news, but in addition to the reputational damage that attacks can have on businesses, they can cause a major amount of business disruption too. Behind the headlines, there’s often further damage to business operations such as system outages, data loss and financial losses too.”

Cyber security tasks are fundamental to keeping businesses safe

Lloyds Bank recently published a Business Digital Index for the UK, which highlights how cyber security tasks are fundamental to keeping a business safe. It says there are five key cyber security tasks that all businesses should be doing:

• keeping broadband router and computer software up to date
• backing up critical business data
• putting a password policy in place that reflects best practice
• establishing policies and procedures to protect them from fraud
• connecting devices to secure networks

However their research found that only half of all businesses are able to do all five of these tasks, while 30 per cent of businesses are knowingly connecting to unsecured wifi networks.

Understanding 'alert fatigue'

Many small businesses are experiencing cyber security ‘alert fatigue’, according to a survey of over 500 small and medium sized business owners carried out by security operations firm Arctic Wolf.

Alert fatigue could mean some businesses are ignoring important warnings due to the high number they receive each week.

Almost two fifths (39 per cent) of business owners surveyed said they felt overwhelmed by the volume of security alerts their business receives, with many receiving up to 75 alerts a day.

Businesses that ignore important security alerts could be at risk of a cyber attack or data breach, particularly if they don’t have the right protection in place.

Is the cyber threat a low priority for small businesses?

Balancing the importance of cyber security with core business activity is challenging for many firms.

According to Arctic Wolf’s study, 55 per cent of business owners said they regularly deprioritise cyber issues in favour of other business activity.

The cyber attacks statistics show that 34 per cent of respondents admitted to not having time to keep across every threat or alert.

It’s been suggested that some small businesses treat cyber security as low-priority because they think hackers are more likely to go after the biggest organisations.

However, the 2021 Data Breach Investigation Report from Verizon reports that almost a third (28 per cent) of data breaches in 2020 involved small businesses.

What is a cyber attack – and what are the common threats?

A cyber attack is when a hacker tries to disable systems, steal data, or destroy information by gaining unauthorised access to computer systems.

The European Union Agency for Cybersecurity (ENISA) has revealed a common list of cyber attacks experienced by small and medium-sized businesses:

• phishing attacks – fraudulent emails asking businesses to share passwords and banking information
• malware – software designed to get unauthorised access to a computer and cause damage, such as a virus
• malicious insiders – attacks from employees or former employees who have access to your system and breach sensitive data
• denial-of-service strikes – an attack which aims to shut down a company’s systems so it can’t operate

How to prevent cyber attacks against your business

It’s important to have a robust defence against cyber attacks in place. And, as the technology used to carry out attacks develops quickly, you’ll need to review your procedures regularly.

Some of the simplest things you can do include:

• updating software – installing updates as soon as they become available is an easy way to protect your business
• backing up your data – if you were to fall victim to a cyber attack, backing up your business-critical information can help you to keep going
• staying alert – keep up-to-date with security threats and make sure you don't fall into the trap of alert fatigue
• training your employees – make sure your employees are working safely online and that they know what to look out for, and how to report signs of cyber attack
• using password protection – office equipment and phones should be protected by strong passwords, and important accounts (like banking) should have two-factor authentication set up (this is an extra layer of security known as 2FA)

Read our guide to securing your small business against a cyber attack for more tips on how you can prepare for the worst-case scenario.

What is cyber insurance – and how can it help your business?

As the number of recent cyber attacks continues to grow, cyber insurance could help to protect your small business.

This type of insurance could be beneficial for your business if you hold sensitive data such as personal customer details, rely on computer systems and online software, or have a payment card industry (PCI) merchant services agreement.

Read our guide to cyber insurance for small businesses to find out more about the biggest cyber attacks, the data breaches you could be fined for, and the software you can use to protect your business.

What impact has the pandemic had on cyber security for businesses?

The Covid-19 pandemic has made small businesses more vulnerable to cyber security breaches, such as Man-in-the-Middle attacks, according to ENISA.

It says that increased remote working and use of contactless payment methods have given attackers new opportunities to target.

This is backed up by Verizon’s 2021 Data Breach Investigation Report, which suggests that 22 per cent of small and medium-sized businesses have suffered a security breach due to a remote worker since March 2020.

'Remote working adds a layer of complexity'

Speaking of the common threats and trends related to cyber security, Studholme said:

“Since the start of the pandemic, widespread adoption of remote working has added a layer of complexity when it comes to cyber security risks. Not only do companies have to concern themselves with all of the devices on their corporate networks, but they have to consider devices that are on employee’s home networks too, over which they have much less visibility.

“One of the main threats facing businesses today is cloud vulnerabilities. The adoption of cloud-based services and infrastructure (and in some cases, multi-cloud adoption) has meant businesses become a prime target for attackers.”

Although it might be difficult to stop every threat, small businesses can protect themselves in a post-pandemic market by having as many layers of defence as possible and creating obstacles for hackers to get around.

These could include multi-factor authentication technology and regularly training staff about the cyber security threats they face.

Small business guides and resources

• A guide to the Data Protection Act and GDPR for small businesses
• Have you got an HMRC scam email, call or text?
• Best accounting software for small business
• Is professional indemnity insurance compulsory?

How do you protect your business against cyber attacks and data breaches? Let us know in the comments below.