The online threat to small businesses is well-reported, with more than 875,000 UK SMEs falling victim to an attack in 2017. This comes at a time when firms are forced to consider a number of economic challenges, which often means getting to grips with the growing risk of cyber crime is no easy feat.
Government figures show that average investment in cybersecurity is as little as £152 for small businesses and £5,210 for medium-sized enterprises. Fortunately, progress is being made and these figures are gradually rising as more businesses become aware of the risks that they are faced with.
Cyber diligence does not have to come at a price, however, as there is a wealth of easy to implement advice made freely available. Here’s how to make the most out of them.
Learning from the mistakes of others
Policy makers are constantly reviewing hack disasters and producing findings to ensure that such events are not repeated. Take for example the volume of documentation that came out from the NHS WannaCry breach. Since the attack, the IT practices of the NHS have been heavily scrutinised, with 200 trusts undergoing assessment and receiving recommendations for improvement.
Many of these recommendations are extremely relevant to small businesses and can be easily implemented with limited technical knowledge and at little cost. A good example can be found in the concerns raised with the NHS’ use of legacy software. As far back as April 2014, NHS trusts had been warned to migrate over from old software such as Windows XP. Yet at the time of WannaCry, five per cent of NHS IT estate was still dependent on it. The NHS was therefore heavily advised to audit and update its existing IT infrastructure more frequently, a key recommendation many small businesses would benefit from.
But this level of scrutiny is not only reserved for public bodies as concerns within the private sector are equally subject to interrogation. The influential House of Commons’ Treasury Committee is still investigating TSB’s IT meltdown, publicly criticising the firm for its subsequent communication to customers. The key lesson for SMEs is being able to prepare for any disaster. Emergency or mass communication plans do not have to be complex but do require thought and planning to ensure that you have an alternative method of communication. Worryingly, most small businesses do not take this into account until it is too late.
Guidance and cyber intelligence is produced by the government on a weekly basis, equipping businesses with information on the most prevalent threats and guidance for securing their systems. But these resources are greatly underappreciated, with a minority of businesses utilising them to full affect.
The National Cyber Security Centre (NCSC) produces a weekly report which can be subscribed to at no cost, providing a summary of the top threats and methods to mitigate them. Separate guidance is also released on a regular basis, touching on a range of topics, from information on the reliability of popular downloads to best practice on organisational management and data governance. These documents do not offer blanket advice and each policy should be assessed against the needs of the individual organisation. Still, they do offer a great starting point for those businesses that want to start building their security practices on a limited budget.
The Cyber Essentials scheme is another excellent tool for organisations taking their first steps to improve their security. The scheme requires businesses to review their digital protection policies and provides a set of minimum standards to be adhered to. Requirements include proof of adequate firewalls, secure configuration, user access control, malware protection and patch management. Once these technical controls are incorporated, organisations can apply for government certification, allowing them to publicly demonstrate their commitment to security. However, research shows that this initiative is also greatly underused by SMEs with only 8% of small businesses aware of it.
Awareness as a solution
There has been a considerable push in recent years to raise security awareness amongst SMEs. Cybersecurity is critical to both national security and to the strength of the national economy. In a 2016 speech, the NCSC’s chief executive Ciaran Martin highlighted the instances of businesses large and small that have been impacted by cyber crime. He described what the NCSC is doing to help improve standards at a national level but ultimately, we all share a responsibility for cybersecurity.
We’re actually in a fortunate position – businesses aren’t being left without guidance or help to become secure. It is vital that businesses now take advantage of the tools and resources available to them.