More than a third of small businesses were victim to a cyber attack by an outsider in the past year costing them on average between £75k - £311k. So what do SMEs need to do to make sure their systems are secure?
The concept of cyber security is a complex one, particularly for those who don’t have specialist knowledge within the sector. Despite this, it is vital that companies as a whole have an understanding of cyber breaches in order to ensure that the business doesn’t come under attack.
According to Vincent Geake, cyber and technology expert at industry insights firm Deloitte, a cyber security plan is something that should be considered not only from an IT perspective, but should also be business led. Speaking to SME he said: “ What companies need to do is to get the people managing the business to understand what cyber risk means to them as a business.
“Everybody in a company needs to have an understanding of the types of attack a business can be threatened by.”
Irrespective of size, hacking and cybercrime is something that all businesses are susceptible. Firms such as Apple and Sony have been victims of hacking attacks. In November 2014, Sony Pictures Entertainment had their business network attacked by a group called Guardian’s of the Peace. To this day, there has been no confirmation of who the group were, but they managed to wipe the company’s hard drive, email system and steal the social security details of 47,000 employees.
In the past year there has been a significant increase in the amount of security breaches both in small and large companies. In Price Waterhouse Cooper’s (PwC) 2015 Information Security Breaches Survey, 90% of large organisations have had a security breach in the past twelve months (up from 81% in 2014) with 74% of small businesses reporting a breach (up from 60% a year ago).
More than two thirds (69%) of large organisations and 38% of small businesses were attacked by an outsider in the past year. In total £1.46m - £3.14m is the cost of breaches to large corporations, with small businesses facing costs of £75k - £311k.
According to Andrew Miller, director at PwC said:“ One of the key things that we found with our survey is that organisations that have security policies set [in place] and actually make their staff aware and engrain it in the behaviour of the organisation experience a third less in terms of breeches.
“ Its always best to establish what the company’s expectations are to get staff to buy in to culture and put those practices into action.”
Despite its importance, recent data published by the FT/ICSA Boardroom Bellweather survey suggests that cyber security is a low priority in the board’s decision-making process. While three-quarters of FTSE 350 respondents claimed that their exposure to cyber risk had increased, a quarter of boards claimed that no action was being done to mitigate this.
A further third claimed that they had not discussed social media policy.
Miller added: “What your business aspires to needs to be discussed at management level with the appropriately skilled security and business people in the room, so that the organisation isn’t just throwing money at the problem and is actually taking a view on what the business is trying to achieve, how risky an appetite they have in the pursuit of profit and how to go about balancing that.”
According to the Data Breaches report, 81% of organisations surveyed said there was an element of staff involvement in some of the breaches they suffered including unauthorised access to systems or data, breaches in data protection laws or accidental loss of confidential information.
While basic staff training can be a cost-efficient way of minimising the likelihood of cyber attack, it is also important to financially invest in preventative strategies, as well as coping mechanisms should a cyber attack take place.
It is also important for cyber professionals to show board members a return on their security investment. Miller said: “There has been a prior trend to spend money and [without being] able to measure what the benefits of that investment have been, now there is much more scrutiny where boards need to ask ‘you are spending our money but where is our money being spent, and is it being spent in the right areas.”
One of the key areas is the immediate identification of deliberate malicious attacks on the businesses’ system. According the 2015 Data Breaches report, two-thirds of organisations reported spotting breaches within a week of it taking place, with the remaining third taking between 7-100 days to spot data problems.
While investing money into cyber security can be costly, the ramifications of not doing so can have an extremely detrimental long-term impact of the business. As well as harming consumer trust, businesses are legally responsible for the data that they hold. This means that they are able to be prosecuted under data protection laws should personal information go missing should they be deemed as not taking enough care around the data storage.