Cyber attacks can cost thousands of pounds in repairs and loss of business, and a new report indicates that small businesses may be more at risk.
- GDPR for small businesses
- 5 of the best antivirus software for small businesses
- GDPR mistakes: the small business errors that could result in a hefty fine
- Why do I need business insurance?
Despite this, 30 per cent of small businesses don’t have any cyber security strategies in place, and only 23 per cent have a policy for controlling access to systems that are limited to certain employees, according to the report by Business in the Community (BITC).
The high cost of cyber attacks on small businesses
The report, ‘Would you be ready for a cyber attack?’, also highlights two further pieces of research.
According to the Cyber Security Breaches Survey 2018, the average cost of a cyber breach to a micro or small business is £894, while a report from Barclays found that “frauds against small and medium-sized enterprises (SMEs) cost £35,000 on average”.
Whichever figure you go by, it’s clear that a cyber attack can lead to significant financial difficulties for small businesses.
Has GDPR affected small business attitudes to cyber security?
It may at first seem promising that complying with GDPR was the main driver for small and medium-sized businesses who have implemented cyber security measures in the past 12 months (44 per cent).
However, GDPR was implemented in May 2018 and according to the BITC report:
- only 35 per cent of small and medium-sized businesses have a basic data protection policy
- only 29 per cent have a policy for controlling access to systems
- 25 per cent of small and medium-sized businesses do not have any cyber security strategies
For the self-employed, freelancers and contractors, perhaps the most useful part of the report can be found towards the end, where BITC lists seven cyber security recommendations for small businesses.
We take a look at them in turn to see what small businesses should do to live up to their cyber responsibilities.
1. Implement the National Cyber Security Centre’s (NCSC) cyber essentials
The following five steps are the minimum action the NCSC recommends small businesses take:
- use a firewall to secure your internet connection – most devices have built in firewalls
- choose the most secure settings for your devices and software
- control who has access to your data and services – using passwords and specific user accounts
- protect yourself from viruses and other malware using anti-virus software and staff training
- keep your devices and software up to date – using auto-update mechanisms
In the last 12 months, 40 per cent of small businesses haven’t taken any cyber security action, whether that’s policies, insurance, staff training, or other measures. And more than three quarters (77 per cent) have no policy for controlling access to their data systems.
2. Back up your data
Small, medium or large – all businesses have data that they’d be lost without. In the report, small business owners are advised to back up their business-critical data as often as possible.
Automatic updates are noted as being the preferred way of doing this, and it’s always worth saving your data in more than one location, whether that’s cloud storage or an external drive.
10 per cent of small businesses never back up essential data.
3. Update your software
Stop opportunistic hackers from taking advantage of your security weaknesses and bugs in older versions of the software you use for your business, by updating your software as soon as a new update’s released. This includes your:
- antivirus software
68 per cent of small and medium-sized businesses automatically update their antivirus software when a new update is released. For malware, 65 per cent apply automatic updates, and for firewalls that figure is 61 per cent.
4. Write your security policy
The report recommends developing a security policy that includes cyber security. If you have employees currently, or you think you might hire them in the future, you should be mindful to share the policy with all of them, ensuring your people are kept up to speed.
Only 35 per cent of small and medium-sized businesses have a basic data protection policy, and only 29 per cent have a policy for controlling access to systems.
5. Train your employees
If you employ people, you’ll want to make sure they’re working safely online. This includes ensuring they know what to look out for – and the steps to take – to stop your business from falling prey to a cyber attack. And make sure the training you provide suits the person and role being trained.
34 per cent of small businesses think it’s unnecessary, and 28 per cent say they have no particular reason, to provide cyber security training for employees.
6. Stay alert
Make sure your business is as secure as it can be by staying up to date with what’s happening in the cyber security world. BITC recommends following the NCSC’s Twitter feed for all the latest on the current threats out there.
7. Invest in cyber insurance
Cyber insurance can’t replace good cyber security practice – but if you do experience an attack, it can give you peace of mind that there’ll be a limit to the disruption you’ll experience due to things like data loss or having to replace your equipment.
You can read more about this type of cover in our article: What is cyber insurance? A guide for small businesses and the self-employed.
Summary of the BITC’s findings
Here’s a quick overview of the key takeaway points from the BITC’s report:
Size matters when it comes to cyber security
The evidence in the report shows that small businesses don’t invest as much time or money into their cyber security as medium-sized businesses.
And small and medium-sized businesses tend to have fewer resources in place to deal with cyber attacks than the big corporates. But it’s clear that cyber security isn’t something any size of business can afford to leave on the back burner.
Cyber security diligence varies by sector
Equally, there seems to be a link between the type of business you operate and the likelihood of you having adequate cyber security measures in place.
For example, only eight per cent of small and medium-sized businesses in the legal, and IT and telecoms sectors have no measures in place.
The worst performing sectors were:
- retail (43 per cent)
- construction (39 per cent)
- real estate (36 per cent)
And 34 per cent of businesses in the transportation and distribution sector didn’t know what cyber security measures they had in place.
There are regional variations in attitudes to cyber security
Compared to other locations in the report, Wales admits to having fewer cyber security measures in place and being less likely to update antivirus, antimalware and firewall software.
Wales also trails behind in the rankings for businesses with no cyber security measures in place:
Best two regions:
- London (18 per cent)
- East of England and East Midlands (20 per cent)
Worst two regions:
- the North East (32 per cent)
- Wales (40 per cent)
Let us know which cyber security measures your business has in place, in the comments below.