You’re never too small to be the victim of a cyber attack. But far too many SMEs, particularly micro businesses and one-man bands, think that they’re too insignificant to be targeted by hackers and online organised crime.
The reality is that almost all companies use the internet, and computers are an everyday part of even the smallest firms’ working lives. Through negligence and naivety small enterprises are leaving themselves at risk of huge business disruption due to cyber crime. Then, there are the reputational issues associated with loss of data and lax professional practices. Not to mention potentially ruinous costs for a business in terms of lost revenue and the need to repair any damage done.
- More than eight out of ten of Britain’s micro businesses – those with fewer than ten employees – believe their computer systems won’t be attacked because they’re too small and don’t have anything worth stealing, according to a recent study by antivirus group Kaspersky Lab.
- Yet, about 41 per cent of SMEs fell victim to cyber crime over a recent 12-month period, research from the Federation of Small Businesses (FSB) found. Individually, firms affected face costs of about £4,000 each on average, while cyber attacks lose the small business community up to £785 million overall every year.
What might cyber criminals want from the average SME? You name it. Money, obviously. Information, such as client data, including financial details. Hackers may be after product designs, or background on deals planned. And it’s not just organised crime that companies need to worry about. Perpetrators could be disgruntled or dishonest current or former employees, or even unscrupulous competitors who want to gain a competitive advantage over their peers.
There are a number of types of threat that businesses face to their computer systems:
- Malware and Trojan horses. These may be viruses or programmes that embed themselves in a computer with the intention of destroying functions, mining for information, or giving somebody back-door access to a business’s system.
- Spam and phishing. Unwanted emails are frustrating, but some messages contain viruses or links to malicious websites. Phishing emails may also pose as urgent missives, while really masking an attempt by an outsider to gain access to a company’s computer files. And be aware that phishing extends to social media these days. If you receive suspicious-looking or unfamiliar posts, status updates or online adverts via Facebook, Twitter or other platforms that the business uses always err on the side of caution.
- Card fraud. The growth in online sales has seen more small companies taking payments through their websites and via electronic devices. As a result, so-called card-not-present fraud has also been on the rise, and smaller businesses can be particularly prone to losses when they haven’t put sufficient security measures in place. Automated detection systems can prevent this, identifying suspicious payments and stopping them where necessary. And firms should be careful to use established, secure merchants such as PayPal, SagePay, Verified by Visa or Mastercard SecureCode.
The potential damage done by cyber crime can be considerable, and some small companies never recover. The Kaspersky report found that a third of firms wouldn’t know what to do if a security breach occurred, four out of ten believe that they would struggle to recover any data lost, while a quarter admits the information stolen would be gone for good.
When recent research indicates that even computer science graduates aren’t adequately trained in cyber security, is it any wonder business owners are so confused? But all hope is not lost. There are a number of simple measures that small companies can take to protect themselves against technological attack. The FSB has drafted a list of tips to help SMEs with their cyber security:
- Make sure that you have security protection in place, and use a combination of measures, including anti-virus software, firewalls, and spam filters. Always ensure your wireless network is secured and password-protected.
- Update security on a regular basis, and check that systems are working on all computers and devices used in the company. Have a clear, written policy relating to how staff use email, internet and mobile gadgets.
- Change passwords throughout the organisation on a regular basis, and insist that employees choose something sufficiently secure with a minimum of eight characters and a mixture of upper and lower-case letters and numbers.
- Give staff training in security. It is also wise to undertake proper background checks on new members of staff, even those working for the company on a temporary basis.
- Carry out risk assessments to determine where the weaknesses may be in your business set-up, plus what elements are the most important to the day-to-day function of the enterprise.
- Devise a back-up and recovery plan should the worst occur and a cyber attack takes place. Time can be of the essence, so staff should know what to do and how to limit damage.
- If you use cloud services, check provider credentials and contracts, and also be aware of who has access to your system both within the company and outside of it.
When it comes to putting defence measures in place, SMEs may decide to manage security themselves or outsource to external experts. You could turn to accredited security consultants, managed service providers, or even your web designer if they have the right experience. But businesses can start by getting advice from a number of useful, free sources online. GetSafeOnline is a website offering guidance on shoring up your business’s internet defences. The Government has its own guide for small firms looking for information on cyber security, and it launched an initiative earlier this year called Cyber Streetwise giving tips on keeping your SME safe.
And if you’ve already fallen victim to a cyber attack, business owners should report it to Action Fraud to try and track down the culprits and prevent future security breaches. The worst thing to do is put your head in the sand and pretend it never happened. And, if you’ve escaped cyber attack so far, don’t think it could never happen to you.
Image courtesy of David Castillo Dominici / FreeDigitalPhotos.net