For small businesses, operating online has quickly moved from nice-to-have to necessity. It is estimated that two thirds now operate online and this digital revolution has helped them to expand and reach new markets.
Alongside the obvious opportunities, this shift has also increased the vulnerability of these businesses: while a quarter of UK businesses have suffered a cyberattack or breach in the past year, this rises to one in three for SMEs (Cyber Security Breaches Survey 2016, Department for Culture, Media & Sport).
Cyber-attacks on large multinational businesses may make the headlines more, but the threat is just as real – if not more so – to smaller ones. The range of attacks is also growing, from hacking and malicious spreading of viruses to using “ransomware” – where hackers disable your computer and encrypt all its files, demanding payment to fix the problem.
The impact of an online security breach can be far reaching, typically costing an SME between £75,000 and £300,000 according to a PwC survey for the government*. Apart from the financial cost of a breach, a company’s reputation almost inevitably suffers. Over half, 58%, of consumers said that a breach would discourage them from using a business in the future, in a joint report from KPMG and the government’s Cyber Aware campaign (Small Business Reputation and the Cyber Risk, 2016).
The consequences to a small business of a cyber breach can be far reaching. Losing customer data, for example, can devastate smaller companies and is especially risky for start-ups. In the short term they could lose customers and face prosecution under the Data Protection Act, if they have failed to take appropriate steps to look after customer information. In the longer term, the reputational damage caused by a data breach could seriously impact their ability to grow and expand as a business. Businesses old and new, small and large, are vulnerable online, and it is clear that the consequences of a security breach could be severe.
This makes the government statistics on attitudes towards cyber security amongst SMEs from Ipsos MORI surprising – over half (56%) don’t always use different and strong passwords for personal and work accounts. Using strong passwords made up of three random words is, according to the National Cyber Security Centre (NCSC), a part of GCHQ, one of the most crucial actions people can take to protect themselves and their business from cybercrime.
Detective inspector Danny Lawrence, National Police Chiefs’ Council PROTECT co-ordinator for cyber crime, points out how crucial passwords are to online security and emphasises the consequences of a breach:
“The majority of people do not realise how important something as simple as a strong password can be, particularly for email accounts which are the gateway to all your personal accounts. Being a victim of a cybercrime will affect your life in a very real way and small actions like the Cyber Aware campaign is suggesting can make a big difference to protecting yourself online.”
Similarly the same government statistics from Ipsos Mori found 63% don’t always download the latest software and app updates as soon as they are available, which is another crucial step to improving online security, as these contain vital security updates. While many cite that downloading updates ‘takes too long’, in reality, it only takes a few minutes, compared to the time it can take to recover from a cyber hack.
This campaign to increase awareness of the steps businesses can take to improve their online security is part of government’s efforts to significantly transform the UK’s cyber security and make the UK the safest place to live and do business online. The new National Cyber Security Centre is part of this and will actively protect the UK from a range of cyber threats, coordinate responses to cyber security incidents, and provide a range of guidance and support to industry.
Security minister, Ben Wallace, urges us all to play a role in this effort to improve the nation’s online security, saying: “Tackling cybercrime not only requires a concerted response from law enforcement and government but also vigilance from members of the public. While the government will invest £1.9 billion in cyber security over the next five years, we can all make a difference and protect ourselves from cybercrime by taking some very simple steps, such as using three random words to create a strong password.”
Small businesses need to take the threat of a cyberattack seriously. The good news is that protecting a business from hackers and viruses does not have to take a lot of time, work or money.
Based on expert advice from the NCSC, Cyber Aware recommends two simple steps which can have the biggest impact on helping improve online security:
- Use three random words to create a strong password. Hackers can use your email to gain access to all your personal and business data. Your most important accounts are your email, social media and online banking, so use unique passwords for these as a minimum. You should also use separate passwords for your business and home accounts.
- Always download the latest software and app updates as soon as they appear. They contain vital security upgrades which help protect your devices from viruses and hackers. If you don’t think you have anything worth stealing, think again. Cyber criminals can profit from anything from your email contacts to your client databases.
Cyber Essentials provides another way for businesses to improve their cyber security and gain accreditation to prove this. It’s a government-backed and industry-supported ‘standard’, helping you to protect your business against the most common online threats. By setting out five controls, Cyber Essentials will significantly reduce your company’s vulnerability to cybercrime, helping to make sure that the business is properly protected online, and is suitable for organisations of all sizes and all sectors. Not only will your business be more secure as a result, you will be able to display a badge demonstrating you adhere to a government endorsed standard, giving you a distinct edge over competitors. The certification is already mandatory for many government contracts and many large firms are now looking to require the same of their suppliers.
Other government-approved guidance includes:
- Cyber Security: advice for small businesses – a short, simple guide which shows you how to get basic security measures in place to protect your business
- Cyber security training for business – free online cyber security training for staff, managers and business owners
- The Information Commissioner’s Office’s data protection guidance for small business – simple, practical advice on how to keep your customers’, suppliers’ and employees’ personal information secure.
Not only can small businesses improve their own security by adopting these simple steps, they can also pass on the advice to their customers.
For more information visit www.cyberaware.gov.uk