Cyber security has dominated the headlines in recent months with many companies declaring war on cyber criminals. But how can SMEs combat these unseen, unknown criminals?
In March, the government’s National Cyber Security Centre (NCSC) partnered with the Crown Commercial Services to establish a new framework for the public sector to buy certified cyber security consultancy and devices – alongside £1.9 billion funding to help illustrate to companies what good cyber security looks like. This move is particularly important given the recent Cyber Security Breaches Survey 2017 found a quarter of companies experienced a breach at least once per month but only a third had security policies in place, whilst 10 per cent had an incident management plan.
When it comes to cyber crime, SMEs are doubly susceptible to be victimised and are often perceived as softer targets.
Nearly half (45 per cent) of small businesses don’t have a cyber security plan for their business according to research by Smith & Williamson. The recent WannaCry cyber attack crippled parts of the NHS as well as other high profile companies such as Nissan and Renault and the effects are still being felt. However, despite the well-publicised effect of what was a relatively low tech attack, recent research has indicated that many small businesses do not have a plan for their business should they find themselves in a similar situation.
“For an investor, a business that has thought about their cyber security and has more control of their tech estate can be more attractive for investment. It shows that they take these things seriously and is a reflection of the culture and values the company has,” says Fergus Caheny, partner and head of technology at Smith & Williamson. “A well thought out, and developed, cyber security plan tends to translate to a business that can identify and react appropriately to the many factors affecting their business. Control of their tech estate is key for any well-managed company. It is now, and increasingly in the future, one way for an investor to get to the heart of a business and ascertain the true nature of the management and the culture within.”
“We wouldn’t expect all early stage businesses to be spending extravagant amounts on developing a plan and high-tech software. However, the owners and managers should be able to demonstrate that they have thought of the problems and have a plan should the worst happen. Equally we would expect the tech investment to scale and grow as the business does.”
One example where cyber security will come to the fore is the new General Data Protection Regulation (GDPR), which takes effect from 25 May 2018. It is a sweeping regulation that affects almost every business that has, keeps or uses personal data. The regulation aims to give individuals more control over how their personal data is used. It imposes requirements for organisations to have cyber security rules and plans in place, with the consequences for failing to comply being very substantial fines.
“The issue of cyber security is not going away. Investors need to be confident that a business is prepared otherwise this could jeopardise existing and future investment. A company who does not have a full handle on their tech estate now is in a race against time to ensure they do before next May,” Caheny adds.
In addition to the potential cost of being hit by hackers and other cyber criminals, they also risk losing the confidence of consumers with 58 per cent saying they would be less likely to use a company’s services if an incident happened.
In today’s world, being prepared against cyber crime is no longer an option for SMEs, it’s a necessity. The consequences of ignoring the risk of cyber attacks are too great both in potential financial cost and loss of customer trust and loyalty.
Meanwhile, separate research released by CyberArk has found that 52 per cent of UK office workers would access sensitive company data if they knew they wouldn’t get caught. The survey of 1,000 UK workers reveals what they would do if they had advanced cyber skills. Colleagues’ salaries and office gossip over email or IM is the most prized information for employees. Nearly a third would try to give themselves a pay rise, and 19 per cent would allocate extra holiday. One in five say that the only thing holding them back from attacking their employer is the lack of technical skills.
“Security teams have long known that one of the most effective ways for attackers to access sensitive data is to masquerade as a legitimate insider – using existing privileged credentials to roam around a network and conduct reconnaissance virtually undetected. While this survey highlights the potential mischief that employees can get up to without proper access controls, it’s also an important reminder that insiders – or cyber attackers posing as insiders – pose one of the greatest security threats to organisations today,” says CyberArk regional VP, Matt Middleton-Leal.
Cyber criminals are getting more aggressive with their attacks, which are escalating more quickly than ever before – as with the WannaCry ransomware attacks, Middleton-Leal adds. “With cyber skills advancing all the time and attackers hiding behind valid credentials to avoid being noticed and caught, companies have to be more alert than ever to monitor and stop unwanted insiders in their tracks and protect their most valuable information.”
If you want to know more about the consequences of cyber attacks on SMEs, or ways prevent them, take a look at the infographic from Market Inspector below.