Cyber security for SME’s – can you hack it?
Prior to the recent headline grabbing WannaCry ransomware attack, businesses may have thought such incidents only affected big American companies, the likes of Sony and Ashley Madison. The WannaCry story brings home that cyber crime is a global issue, and one which is set to affect UK businesses more and more in future and to which SME’s are not immune.
A government report from earlier this year indicated that 68% of large businesses and 52% of small businesses had suffered a cyber security breach in the past year. Don’t assume that just because your business isn’t national, or high profile, or based around online sales, you’ll be safe. Cyber criminals, as with any other kind, will target anyone, and may see smaller businesses as more vulnerable.
Cyber security breaches carry a number of adverse potential consequences. Aside from the business interruption of evaluating and repairing any damage caused, implementing emergency measures, and potentially notifying your customers, breaches of cyber security are bad publicity, and erode the trust and confidence you spend so long building with your customers. Where a breach results in your customers suffering a loss, you may find they turn to you for compensation. Defending legal claims, and dealing with more informal ones, can be expensive and risks further damage to your reputation.
So, what can you do about cyber risk? Well, as with every other risk, take steps to mitigate it, and insure against it. Many insurance companies offer a policy covering cyber attacks, and practical advice on risk management and loss prevention. Mitigating and minimising your risk requires more than just effective firewalls and antivirus software. Implementing segregated networks and least-privilege models ensures that the effect of any breach (be it external, or by an employee) is minimised. Network segregation creates sub-partitions allowing you to limit access to sensitive information, and a least-privilege model gives users only the permissions necessary for them to carry out their role. However, to remain effective these systems need regular checking and updating. Effective monitoring, alerting and filtering software will help anticipate and prevent attacks, but training for users on how to identify and avoid suspicious emails and websites is also needed as things like phishing emails become increasingly sophisticated.
Cyber security isn’t just a practical requirement, it’s a legal one. Almost every business will hold personal data, and data protection legislation requires them to have adequate security measures in place to protect that data. Businesses who suffer a breach may be subject to fines or sanctions from their professional bodies or the Information Commissioner’s Office (ICO). Holiday insurance company Staysure were fined £175,000 by the ICO after their cyber security failings allowed hackers access to customer credit card and medical details. SME’s can no longer afford to ignore the risks.