Cyber security for small businesses

Cyber security is a critical issue for all businesses. However, unlike large organisations, small businesses often lack the resources (physical, human and financial) to cope with the challenge of becoming cyber secure. Instead, most of their attention is dedicated to commercial activities and winning new customers, leading to the dangerous negligence of emerging business risks, which, in the modern world, means cyber risks.

Small businesses are getting hit hard

Just like large organisations, small businesses rely heavily on technology and the Internet to perform their operations, which makes them vulnerable to cyber attacks and data breaches.

Cyber criminals are prolific and they are also indiscriminate. Today, it’s easier than ever to gain access to automated hacking tools, which means that everyone is a potential victim. But while a data breach can seriously damage the reputation of a large organisation and harm it financially, it can completely ruin a small business that is unable to meet the financial consequences that will inevitably follow.

Evidence suggests that small businesses are getting hit hard. According to PwC’s 2015 Information Security Breaches Survey (ISBS), 74% of small organisations in the UK reported a security breach in 2015, which is an increase from 60% in 2014. Moreover, breaches cost small businesses ￡75-￡311k on average – an increase from ￡65-￡115K a year ago.

With these statistics in mind, it is easy to see why small businesses urgently need to invest in cyber security, whether they like it or not.

Getting the basics right

If you are a small business, accepting that you are also a target of cyber criminals is the first important step towards cyber security.

The second step is to ensure that you are protected against basic cyber attacks. Small firms are not expected to have in-house cyber security experts, but they should look to security firms for help and any other support services.

Small businesses will benefit from a Cyber Health Check to help them identify their actual cyber risks, audit the effectiveness of their responses to those risks, and create a prioritised action plan for managing those risks in line with their business objectives.

10 Steps to Cyber Security

In its 10 Steps to Cyber Security framework, the UK Government identified 10 security areas that businesses need to review to protect themselves against the majority of cyber threats.

• Board-led Information Risk Management Regime
• Secure Home and Mobile Working
• User Education and Awareness
• User Privilege Management
• Removable Media Controls
• Activity Monitoring
• Secure Configurations
• Malware Protection
• Network Security
• Incident Management

Cyber Essentials

Taking its cyber security strategy further, the UK Government developed the Cyber Essentials scheme, which provides guidance on implementing critical security controls as well as a method of demonstrating to clients and stakeholders that an organisation is secure.

Although the scheme is applicable to small and large organisations alike, it particularly benefits small businesses as achieving certification is both simple and affordable.

According to the scheme, the critical cyber security controls organisations need to implement are:

• Secure configuration – implement security measures when building and installing computers and network devices to reduce unnecessary vulnerabilities.

• Boundary firewalls and Internet gateways – provide a basic level of protection where an organisation connects to the Internet.

• Access control and administrative privilege management – assign special access privileges only to authorised individuals and provide the minimum level of access to applications, computers and networks.

• Patch management – keep the software used on computers and network devices up to date and resisting low-level cyber attacks.

• Malware protection – install and regularly update malware protection software.

Whatever approach they choose to follow, small organisations would be wise not to burying their heads in the sand when it comes to cyber security, and should instead take control.

Find out more about Cyber Essentials and how to achieve certification at: www.itgovernance.co.uk/cyber-essentials-scheme.aspx.