Blog: Cyber security for SMEs

SMEs must address cyber risks
SMEs must address cyber risks

Nick Gibbons, partner at BLM writes for SME.

Despite the possibly appalling financial consequences of a cyber incident, cyber risk management is often neglected by SMEs in both the US and the UK because it is frequently perceived to be only partially relevant, complex and inevitably expensive to deal with.

In fact, according to government statistics in the UK:

• A third of small businesses suffered a cyber attack from someone outside their business in 2014.
• The average cost of a major security breach is between £65,000 and £115,000 and can result in a business being put out of action for up to 10 days

The firms questioned estimated that this could account for a third of their total revenue for the year.

The issue is also likely to increase in importance for SMEs as governments and large corporations focus on their supply chains as areas of potential risk and begin to demand higher standards of cyber security from their suppliers.

SMEs in US and UK have the same problems:

• SMEs account for 99.8% of businesses.
• Many SMEs have not addressed cyber risk and most have no cyber insurance.
• SMEs often form part of a supply chain.
• Most cyber risk marketing materials are inappropriate for SMEs.

For insurers, explaining in person cyber risks, security, and insurance to SME’s is difficult, time consuming and frequently disproportionate to the likely premium.

Conversely a huge reduction in an SMEs cyber risk can be achieved through the implementation of a relatively small number of inexpensive measures:

• The board and senior management must oversee cyber risk management.
• One person must be made the “cyber risk manager”, responsible for managing cyber risks and incidents, liaising with other managers and staff and reporting to the board.
• The particular cyber risks to which a business is exposed must be identified – a web retailer’s concerns will be very different from those of a research and development company.
• The cyber risk manager should know enough about common technical network security defences such as firewalls, intrusion detection systems and anti-virus software to enable him or her to discuss the issues with, and direct, the IT manager or consultant.
• Good physical security measures such as good quality doors, locks and alarm systems are as important in a cyber context as they are for a business more generally.
• Sensitive, confidential and/or important information must be protected in electronic form for the same reasons as paper documents have historically been secured.
• The type (e.g. personal data, confidential information, trade secrets and commercially sensitive information), owner (e.g. client, employee or business partner), location and value of the different categories of data held on a business’ network must be ascertained.
• Access to sensitive and confidential data on a business’ network should be restricted to those who need to see it.
• Important data of every type should be regularly backed up so that in the event of a physical disaster or cyber incident the business is in a position to continue.

Employees need to know and understand their role in maintaining cyber security. Written data protection and computer, internet and email use policies and staff training dealing with issues such as remote working, strong passwords, clean desks and social engineering are both essential and relatively inexpensive.

The security of cloud service providers, web hosting companies and other businesses with which the SME shares data must be checked.

Internal incident response and business continuity plans are essential for ensuring that incidents are promptly detected and reported and the adverse consequences to your business kept to a minimum.

Cyber incidents are here to stay and are rapidly increasing in both number and gravity. They affect every type of industry. Dealing with them must become regular and routine.

Nick Gibbons is a partner and cyber specialist at risk and insurance law business, BLM (