How much do Small and Medium Sized Enterprises (SMEs) have to fear from cyber-attack?
The high profile cyber attacks of the past year have involved much bigger commercial fish than companies in the SME market. But that doesn’t render them immune – far from it.
74% of small businesses have suffered a cyber security breach, according to the PricewaterhouseCoopers 2015 Information Security Breaches survey (up 60% year-on-year), with four as the median number of breaches suffered by SMEs and an average cost of between £75k and £311k. Of those affected, 38% suffered from viruses or malicious software while a further 16% were hit by a denial of service attack.
And Graeme Newman of CFC Underwriting – a specialist Lloyd’s of London company - said at the recent Insurance Times Cyber Insights 2015 conference: “Small businesses are unaware of the speed that cyber risks are developing and are getting caught out.”
Clearly, the evidence strongly suggests that SMEs are at risk; often because they provide a stepping stone to the bigger fish in the chain.
In an effort to build greater resilience to cyber attacks, the UK government last year launched a voucher scheme that will offer micro-enterprises and SMEs up to £5,000 for specialist advice to boost cyber security and protect new business ideas and intellectual property. “We want to help protect UK businesses against cyber-attack and make the UK the safest place in world to do business online,” said digital economy minister Ed Vaizey.
But if you run a small to medium sized company, what do you need to know before you begin to invest in cyber resilience?
- You need to have a clear understanding of what data and systems are critical to your business
- If your business collects customer data, it’s a potential target for attackers. If that data is lost or stolen, you can be fined. In a worst case scenario, a company can be fined £0.5m, which is more than sufficient to put many small companies out of business or damage their reputation irrevocably – again, potentially jeopardizing the business altogether
- If your company is expanding – and will contain bigger and more lucrative companies in the supply chain – it becomes imperative to invest in cyber resilience as a “business as usual” (BAU) activity. In fact, cyber resilience should be a BAU activity, full stop
- You need to seek out freely-available best practice methodologies, such as the Cabinet Office’s 10 Steps to Cyber Security and the UK Government-backed Cyber Essentials scheme. Adopting the principles outlined will help reduce the risk of cyber attack
- If you are considering cyber risk insurance, recognize that it’s very difficult to price and may not cover you for all eventualities. Equally, having cyber insurance doesn’t mean that you can forget the risks and carry on as normal.
We know that a company’s greatest information and systems vulnerability comes from its own employees – computer users who are connected to both the internet and the company’s systems and data. In fact, about 80-90% of all incidents start with someone opening a link or attachment.
So, effective awareness is an incredibly cost-effective control to manage this risk, particularly in small to medium-sized business environments where there aren’t necessarily the resources to deploy and maintain additional technical tools.
AXELOS has developed the RESILIA™ training, learning and certification to help all businesses improve their level of cyber awareness, resilience and capability to prevent, respond to and recover from a cyber attack.
If your business is online – and regardless of whether your company is big or small – you’re a target for cyber attackers. Choosing whether or not to spend money on cyber resilience is no longer a choice.
See our RESILIA™ section for more information about cyber resilience.
More AXELOS Blog Posts by Mark Logsdon
Cyber risk and young employees
Is this a Phishing email?
Hands up who doesn't understand cyber risk?
Building cyber education for all
The War on Cyber: Protecting Ourselves Against Weaponization
Cyber resilience: protecting the network or the data?
The perils of cyber-attack – and the new solution
Have you heard the one about the three judges...? A Cyber story to be aware of
Preventing cyber attacks - it's a people thing as much as IT