Small business cyber security: the ultimate guide – IT Governance UK Blog


If you’re a small business owner, cyber security might seem impossibly complicated and filled with endless pitfalls.

There’s indeed a lot at stake – with ineffective security measures potentially threatening your productivity, your bank accounts, and your employees’ and third parties’ personal data. But fortunately, the path to effective security needn’t be difficult.

In this blog, we explain you need to know about cyber security for small businesses.

Why cyber security presents unique risks for SMEs

The difficulties that small businesses face when addressing cyber risks can be separated into financial costs and their ability to gain expert advice.

When we talk about ‘cost’, there are several issues at play. First, there is the fact that many small and medium-sized enterprises lack the budget to invest in comprehensive defences.

Second, there are costs that organisations occur as a result of a security incident. We’ll talk about the specific financial effects of this in more detail below, but it’s worth noting that the first issue affects the other.

SMEs that are reluctant to invest in cyber security practices are not only more likely to fall victim but will experience higher costs as a result.

You cannot cut corners when it comes to cyber threats. However tight your budget, you must find a way to address cyber security.

That brings us on to the second difficulty that you face: gaining expert advice. The demand for cyber security professionals far outweighs supply, with one report claiming that there will be 3.5 million unfilled jobs in the industry by 2021.

Those with the necessary skills can therefore command a much larger salary, meaning small organisations are being priced out of the market.

SMEs’ best course of action is to look internally – offering existing employees the opportunity to move into a career in cyber security.

Those in an IT background are particularly suited to this career switch, because – although technology only encompasses one aspect of information security – there is considerable overlap.

Why SMEs can’t ignore cyber security

Let’s now take a closer look at the repercussions that small organisations face if they don’t correctly address cyber security.

The first problem that you’ll run into is business disruption. An attack on your systems may paralyse your network or force you to close off parts of your business to make sure cyber criminals can no longer access your data.

In the time it takes you to investigate the cause of the breach and to get your systems back online, you will be unable to perform certain operations and are likely to experience a loss of production.

  • Remedial costs and regulatory fines

Getting up and running again is only your first obstacle. If the incident were severe enough, you would need to contact affected customers as well as your data protection supervisory authority, which in the UK is the ICO (Information Commissioner’s Office).

Notifying customers alone can be an expensive and time-consuming endeavour.

You may have to set up helpdesks so that those affected can get in contact to learn more. Some organisations might even offer complimentary credit checks to reassure customers that the breach has no personal financial implications for them.

In addition to this, the ICO may well decide that the incident was a result of a GDPR (General Data Protection Regulation) violation. In those cases, you are liable to receive a financial penalty and face legal action.

Finally, the incident might result in long-term reputational damage. It can be challenging for organisations to retain customers’ trust – and that’s particularly true for small organisations – so you may experience significant customer churn.

According to CISO’s Benchmark Report 2020, a third of organisations said they experienced reputational damage as a result of a data breach.


Want to know more about keeping your organisation safe?
Download our free guide: Cyber Security 101 – A guide for SMEs.

Top threats to SMEs

According to Verizon’s 2020 Data Breach Investigations Report, 28% of data breaches involved SMEs. But what makes them so vulnerable?

Their biggest vulnerability is human error. Small organisations are far less likely than larger ones to have systematic staff awareness training programmes in place, meaning there is an increased possibility of someone making an avoidable mistake.

This includes things such as reusing their password on multiple accounts, falling for a phishing scam or failing to properly dispose of sensitive information when it’s no longer needed.

On a similar note, employees at small organisations are more likely to act maliciously – purposely using information in a way that’s detrimental to the organisation.

One reason for this is that smaller organisations are less likely to have monitoring tools to catch them in the act. For example, they might not have access controls installed, which would limit the amount of information that an employee could view.

Without it, any member of staff who wanted to steal sensitive information (perhaps with the intention of selling it on the dark web) could do so, and the organisation would be unable to tell who was responsible.

Another threat that small organisations in particular are vulnerable to is ransomware. This is a type of malware in which criminal hackers lock users out of their systems and demand money for a decryption code.

The most effective way to mitigate the risk of ransomware is to regularly back up your files to an external server. That way, should your systems become infected, you will be able to disconnect them, wipe the data and restore your information using the backups.

This process will take some time – anywhere from a couple of days to a couple of weeks, depending on the size of your operations. However, it will be much less expensive and disruptive, and is less dangerous than paying a criminal and hoping that they keep their word.

Unfortunately, many SMEs don’t invest in comprehensive backup strategies, making them an ideal target for crooks.

What can you do to protect your small business from cyber threats?

Most small organisations know that they should be doing more to protect themselves, but it can be difficult knowing where to begin. That’s where our Cyber Security as a Service can help.

With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.

They’ll guide you through vulnerability scans, staff training and the creation of policies and procedures, which form the backbone of an effective security strategy.


A version of this blog was originally published on 24 September 2020.



Source link