Cyber attacks against all businesses are continually increasing in number and frequency; small businesses would be naïve to believe they are safely tucked away from exposure in this area. In fact, data from Symantec’s 2016 Internet Security Threat Report showed that 43% of all cyber attacks were on small businesses in 2015. According to IBM, both small and mid-sized businesses account for 62 percent of all cyber attacks. In the UK a similar government study found that 60 percent of small businesses had suffered a cyber breach costing between £65-115k. Only a third of the top 350 businesses were found to understand the true threat of a cyber attack and as a result, the Cyber Essentials scheme was set up.
Unfortunately, small business owners remain under-prepared to address and respond to cyber attacks and don’t feel they have cyber risks matching those of a larger corporation. They fall into the hackers’ ideal target market as they have more digital assets than an individual consumer, but also less security than a large enterprise. Poor security, lack of awareness and training leave SMEs vulnerable to attacks which is why it is important to take steps to increase your cyber security.
The cost of hacking can range from a minor inconvenience of reputational damage, loss of customer data, and fines to ultimately company closure. The U.S’ National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their business over six months after a cyber attack.
Many businesses will suffer business interruption from cyber crime. Some will need to close their doors to investigate the source and impact of the breach, as well as suffering lost sales and opportunities. Additional costs can also be incurred in order to update or implement new security systems, as well as any possible concessions that will need to be offered to customers to rebuild trust and loyalty.
So how can your small business guard against cyber attacks?
1. Increase Staff training
Most cyber breaches are the result of an employee accidentally divulging some information or doing something they shouldn’t have done. The first step is to train all of your employees on security policies and procedures and how to protect sensitive data. Often weak or common passwords allow the easy infiltration of systems, or phishing in the form of opening infected emails as well as use of infected external devices. Maintain awareness of these risks to individuals and the business.
2. Create A Business Continuity Plan
Such a plan can be put into effect as soon as systems have been compromised. You should establish an incident response and disaster recovery procedure to limit the damage.
3. Protect All Devices That Connect To The Internet From Malware
Set up boundary firewalls and internet gateways to protect your data. Always install the latest security updates which will scan for and identify any known viruses across the organization. You can also establish data security protocols and create ‘whitelists’ to control traffic through your network and prevent access to certain IP and email addresses.
4. Scan Or Refuse Use Of External Devices And USBs
Scan all removable media for malware prior to importing on to the IT system. It is a good idea to maintain a policy which controls access and limits usage of media types to reduce risk.
5. Encrypt Your Most Sensitive Data
Encrypting sensitive data, in particular financial data, is important and encryption can be hardware or software-based. Encryption will allow confidential data to move from one network to another without being compromised as it cannot be accessed by unauthorized users due to algorithms which render data unreadable by humans.
6. Consider Cyber Insurance
Finally, while you can put measures in place to limit risk, you can’t always stop cyber crime. By insuring your business against the cost of cyber crime, you can cover the losses relating to damage or loss of information from IT systems and networks.
Increasingly, more businesses are buying specialist cyber insurance policies to cover either first party and/or third party losses. First party covers the insurer’s assets (such as loss or damage of digital assets, reputational damage and theft of money) and third party risks cover the assets of others, in particular the customer (such as defense costs, defamation and compensation).
Unfortunately there is no ‘one size fits all’ solution to cyber insurance and it is difficult to quantify an organization’s individual risk so it is recommended that you approach an experienced broker in this area.