A recent report has highlighted the risks to SMEs posed by cyber-attacks, concluding that a quarter of them (around 1.3 million businesses) would not be able to continue operating following a serious hacking incident. The risks are only growing as well, with almost a third of SMEs reporting an increase in such attacks since the first lockdown. Although there have been calls for additional government resources and assistance to combat this rise in cybercrime, it’s worth reviewing the key risks SMEs face, and how to mitigate them. Elliot Fry, Managing Associate at law firm Cripps Pemberton Greenish, takes you through the issues.
What’s the Harm?
The risks for SMEs broadly fall into four categories:
Direct monetary losses
Funds which are stolen by cyber-criminals through unauthorised transfers, or extorted through ransomware.
Business interruption
Lost revenue or the costs of rectification caused by damage to systems. This is particularly relevant given the additional reliance many businesses have on remote working.
Reputational damage
Whether it’s adverse press coverage, or poor customer experiences due to unavailability or data loss, cyberattacks can cripple customer confidence in a business.
Regulatory fines
Although perhaps not as frequent, the Information Commissioner’s Office (ICO) still has the power to impose significant fines.
All of these risks can contribute to the impact of a cyberattack, and all of them take time and resources to address after a hacking incident. However, there are measures which can be taken to avoid or mitigate the impact of each of them.
What can I do?
General technical and organisational security measures should be the primary focus of your efforts. In particular, as more individuals work from home, all businesses should consider multi-factor authentication on any important systems, rather than just relying on passwords. The human element should not be neglected either. Staff should be able to spot and report phishing attacks and understand the basic requirements of cybersecurity which relate to their role and access.
More specifically, in relation to those four categories of risk:
Direct monetary loss
In addition to anti-phishing training, staff should only have access to systems on a need to know basis, which reduces the likelihood of a cybercriminal gaining access to multiple internal systems. Many cyberattacks also focus on redirecting payments, and robust internal processes to verify payment requests and details can help defend against this.
Business interruption
Business continuity and disaster recovery policies and systems are key to minimising the operational effects of a cyberattack. Review with your providers what fall-backs are in place, or engage a separate provider which can step-in if required.
Reputational damage
While you can’t control customer perception, you can plan for how you will address the issue with customers, and demonstrate the measures you have in place to prevent future incidents. Bear in mind also that in some circumstances you will be legally required to notify individuals of a security incident under data protection law.
Regulatory fines
Co-operating and proactively reporting incidents to the ICO where required will always help reduce the risk (or amount) of any fine which is imposed. However not all the work has to be after the fact. Clearly documenting your security processes, logging past incidents (however small) and any remediation measures, and having a clear plan of action in place to deal with incidents, will all reduce the likelihood of regulatory action.
Going forward
Security is very easy to ignore until an incident makes it a top priority. Your key focus should be on identifying the highest risk areas (in terms of likelihood or potential for damage) and addressing these first. If you don’t have appropriate expertise in your staff or through a consultant, you may be able to ask your suppliers for more details of the relevant security measures they have employed for you. However, even where an incident affects a supplier’s system, it impacts you as well. You should review what protection and support is available in your supplier contracts, to ensure you have appropriate remedies if their systems are compromised.
“
