Technology / Small businesses cut corners in cyber security at their peril, say experts

Small businesses cut corners in cyber security at their peril, say experts

It can be tricky to stay secure as a small business. Expensive cyber-security solutions are sometimes out of reach, larger businesses snaffle promising security talent, and restricted resources limit staff training programmes. But often, experts say, the problem is that SMEs simply do not consider cyber-security to be a priority.

“One of the things you seem to hear a lot from SMEs is, ‘We are too small. We do not need security,’” says Adrian Davis, EMEA managing director at (ISC)2. “But actually they can be some of the most vulnerable companies.”

While 54 per cent of SMEs fear the threat of cyber-crime, a recent survey by Barclaycard showed that only one in five see tackling the issue as a business priority, and only 15 per cent are confident they have adequate measures in place.

And research from earlier this year showed that 93 per cent of small firms fail to consider how a cyber-attack could impact upon their reputations – an important asset for SMEs competing against rivals large and small for business. But the risk extends beyond their walls and threatens the security of their customers and the wider web.

According to David Shearer, CEO at (ISC)2, cyber-criminals will always look for the “weakest link” when carrying out an attack. If they are looking for insider information about a large company, for example, it might be easier for them to attack the small business that designs its reports than to take on the bigger firm’s sophisticated security systems.

“When we look at SMEs that are vulnerable, they are vulnerable for everyone who does business with them and everyone on the web,” Shearer explains. He believes that as well as day-to-day ransomware and phishing attacks, undetected malware is being positioned that could eventually be used to launch bigger operations that could even endanger lives. “This malware can have the same kind of massive implications and even affect critical infrastructure,” Shearer explains. The “burrowed in” bots and malware could be used “in a way that constitutes warfare”, he says.

There is also the risk, of course, of small companies closing down. A 2012 study by the US’s National Cyber Security Alliance found that 60 per cent of small US firms hit by data breaches went out of business within six months.

And the threat is only increasing. Nine in ten phishing emails now contain ransomware, for example, and ransomware domain creation was up 3,500 per cent in the first quarter of 2016. As well as technology, the information security issue is also one of people and training, with human error behind nearly two thirds of data breaches.

But with so much potentially, how can security experts get the message through to SMEs that cyber security matters? “The thing that sends the strongest message is CEOs losing their jobs,” Shearer says, either when their firms go under or when they are sacked as a result of breaches. “But it is also understanding that you need somebody in this small business who says, ‘There are ways we can function as a small business and say this is not a core thing for us.’”

Cyber-security talent can be hard to come by in an industry facing a skills shortage. Despite the usual warnings about the cloud, Shearer says it can be the better option for SMEs lacking the in-house expertise to stay secure themselves. “Some organisations actually get more secure by going to the cloud because many have very basic control over who has access to this information. They are all over the place.”

Small businesses should still make the usual checks, he explains – ensuring data is encrypted and users properly managed, for example – but this is one of many ways those without the resources for a full security team can stay secure. “There are steps that do not necessarily mean bringing in an army of cyber-security folks,” Shearer says. “That army is not there.”

Shares