It’s official, SMEs can no longer afford to ignore cyber threats, especially with regards to small business data breaches.
And the reality is that the numbers make for stark reading. According to research the average cost of a data breach for small business in the UK is a whopping £11,000. But it’s not just the cost of the breach itself it is all the hassle and distraction it causes the business as it tries to put things right. And even worse, up to 60% of small businesses shut down within 6 months of falling victim to a serious Cyber attack.
Despite these facts, many small businesses seem unable or unwilling to face the threat head-on – or engage an IT support company with expertise to help. From a lack of cybersecurity decision-making to being lulled into a false sense of security, it’s clear that SMEs can – and should – do more to protect their interests from cyber-attacks and data breaches. Even if it means initially simply ensuring that they deploy and maintain effective anti-virus software and put in place data breach insurance for their small business. Ahead of putting in place a more heavyweight Cyber Security solution for your small business that is designed to protect both your customers and your data.
In this article we discuss 10 things every small business owner needs to know about data breaches. And give you a head start on understanding how to better protect yourself from the hackers.
4 common reasons small businesses overlook CyberSecurity and Data Protection
Unfortunately, there seems to be a trend of small businesses underestimating cybersecurity threats or not doing enough to prevent them. The statistics bear this out, with 43% of SMEs in the UK not having a Cyber Security plan in place. Plus, another 1 in 5 don’t even have anti-virus software installed.
This approach is completely counter-intuitive, in relation to the significant damage we know Cyber attacks can cause.
However, there are several understandable, if misguided, reasons for this:
- Reason #1 -The first reason is that there seems to be a misconception that Cyber Criminals mainly target big businesses. In reality, 43% of all cyberattacks are aimed at SMEs, as many cyber criminals view them as easy pickings. In contrast, 54% of SMEs believe they are too small to be targeted
- Reason #2 – Another is that small businesses underestimate the value of their data. However, it’s estimated that just a single stolen record containing PII (personally identifiable information) costs £130. Multiply that up by thousands of records on customers and even staff and the true cost of a small business data breach quickly mounts up
- Reason #3 – Some small business owners are also unaware of all the possible consequences of being a cyber victim – which could cost up to £11,000 to investigate. And that is also the tip of the iceberg as businesses can face legal proceedings from the public or authorities for non-compliance. Which also means the impact on your reputation can be impossible to calculate
- Reason #4 – Another obstacle is the perceived difficulty and cost of becoming compliant with cybersecurity guidelines and implementing cybersecurity measures. While Cyber Essentials accreditation only costs £300, it can take thousands of pounds in training and consultation to achieve accreditation status. Not to mention the complex web of CyberSecurity guidelines when dealing with GDPR regulations and other regulatory compliance. In addition, many SMEs don’t have the know-how to deal with cybersecurity. As many as 47% of small businesses do not understand how to protect themselves against Cyber attacks. Up to 3 in 4 SMEs don’t have dedicated IT security personnel. For example, few SMEs are even aware of the existence of such a thing as data breach insurance for small businesses
4 security risks around data for small businesses
Regardless of your industry or business size, SMEs face a myriad of security risks regarding their data.
Cybercriminals are continuously evolving, changing their attack methods, goals and finding new ways to rob businesses of their data or money. However, some of the ‘good old’ attack vectors are still the most common including:
- Phishing: Phishing is a form of social engineering whereby an attacker imitates a legitimate entity (such as a staff member in your business) over a communication channel, usually email. Often, this is used as an initial attempt to obtain sensitive information from employees or deploy malware via infected attachments
- Malware: This type of threat can come in a variety of shapes and forms. Trojans, adware, worms, botnets, spyware, etc. – take your pick. There are over 1 billion types of malware in existence , with an astonishing 560,000 new pieces of malware detected every day. While they have different targets and levels of severity, the sheer volume of malware presents a logistical challenge. So, ensuring that you have the right type of protective tools in place including is going to be key for your business
- Credential theft & Insider threats: More than half of cyber-attacks involve a human element. From weak passwords to insider threats, your data security is only as good as your people in many ways. Which is why Cyber Security training and effective internal procedures built around principles like two factor authentication (2FA) should be a key part of your defences in your small business
- Ransomware: Of all malware, ransomware is currently the most widespread and insidious threat to the data of all businesses. In this scenario, hackers deploy ransomware which employs encryption that effectively locks your business data. And you are asked to pay a fee to regain access. According to IBM, the average ransomware attack costs more than double what other data breaches cost
The same reason why small businesses underestimate the threat of data breaches is a key factor in why they are so successful. Put very simply too many SMEs don’t have the necessary measures in place to prevent small business data breaches. Let along manage and recover from this type of Cyber attack.
You can’t prevent what you don’t understand, which applies doubly when it comes to CyberSecurity threats. Without dedicated CyberSecurity staff or even anti-malware, many small businesses have no defences in place. This makes it a simple matter of when, not if, you will experience a data breach.
And if the worst actually does happen, acting quickly and decisively is your best chance of mitigating the damage and recovering any data. Also, it gives you the knowledge and experience to better prepare for future attacks.
It is for this reason that many small and medium sized business look for external support on cybersecurity from specialist IT support companies who have the type of expertise need to address the threat – often as part of a wider approach to Managed IT Support. Managed IT service providers are working to address security concerns across a much bigger pool of small businesses and it is this expertise which is available to SMEs in a much more cost-effective way than trying to do the work internally themselves.
2 of the latest cyber security challenges small businesses might be unaware of
There are also 2 additional challenges that you might not be aware of:
#1 – The increasing risk of hybrid and remote working
Technological advancements, a drop in costs and the COVID-19 pandemic has accelerated the leap to remote and hybrid working environments. However, this doesn’t come without its risks. According to IBM, cyberattacks involving remote work cost more and the cost is even higher for companies where 80-100% of the workforce is remote.
Part of the reason for this is that personal Cybersecurity Hygiene and discipline is even more important in remote environments. Staff mostly use unsecured personal devices or connect to less secure networks at home, or their favourite coffee shop, in order to work. And remote environments can exacerbate the human factor, which is already a significant contributor to CyberSecurity incidents.
Clearly, this is a significant challenge facing SMEs right now. Especially since many small businesses have not had the time to adapt fully – and securely – to the changing way of working.
#2 – The difficulty of accessing high quality Cyber Security programmes
The second challenge is the problem accessing to quality cybersecurity training, education, and awareness programs. Your CyberSecurity is only as strong as your weakest link and, unless they are adequately trained, that’s usually your staff.
That’s the reason security compliance standards like Cyber Essentials and ISO 27001 are so focused on improving awareness amongst staff members. And also recognise that training is not a one-off investment but needs to be continually updated as technology, and Cyber threats evolve.
Here are just some of the aspects of CyberSecurity your employees need to be trained in:
- How to spot cyber threats, whether suspicious files, spoofed domains, phishing emails, malware, etc.
- Which steps to take to make their devices more secure (updating software, installing anti-virus, using VPNs, etc.).
- Applying strong password and credential practices (creating strong passwords, using secure password managers, etc.)
- The rapid action they need to take if a Cyber incident takes place (initial steps to take, who to report it to, etc.) and if the very worst happens activating disaster recovery and business continuity plans
With literally thousands of pounds on the line, data breaches in SMEs are no small matter.
However, even if you understand the risks as a business owner, not all SMEs have the resources to address all the possible threats on their own. A partnership with a recognised dedicated IT partner specialising in small business security services could give you the peace of mind that your business is protected. And mitigate the risk of costly breaches and time wasted on solving a CyberSecurity breaches.
Not only can they provide the direction and leadership that’s needed to implement an effective approach to IT security, but also the capacity and expertise to prevent and address CyberSecurity incidents. In this way, Cyber security solutions for small businesses can help shore up your IT resources in a cost-effective manner.
If you would like an independent and no-obligation assessment of your own IT security. Then please do not hesitate to contact us for an informal discussion with one of our IT experts.