Chief Technology Officer
1st October 2021
Why cyber security is important
Cyber security will always remain a pressing issue for businesses around the world, particularly so when you put factors such as the 2020 pandemic and it’s turbulence for businesses into perspective. Not forgetting the ever changing cyber landscape and various new attack methods from hackers. 57% of SMEs have admitted to a breach, and 86% of organisations expect attacks to increase going forward, so you can never predict what will happen to your business landscape. Which makes it important to be prepared and have all the necessary security tools in place to stay secure.
Whilst we appreciate many businesses push their efforts onto their revenue streams and boosting growth, the importance of cyber security in managing both of those goals can’t be overlooked. The risks of cyber attacks, data breaches and fines are acute as ever. Which makes getting cyber security basics and best practises in place essential for your SME and its growth.
1. Stories from the frontline of SME cyber security
Our consultants have been trusted advisors to businesses of all sizes. In the process of getting businesses to take their cyber security seriously, they’ve heard a range of objections and opinions on the matter. We present and fact-check the most common myths that our consultants have heard to help you understand the potential consequences of passing off strong security measures. Some of the myths might have passed through your mind too, so take a read to see why cyber security really is essential for SMEs.
Myth: “I’m too small to be a target”
Fact: Every business is at risk of cyber attack
This is a common misconception about SME security. Many SMEs think that their smaller size or business sector means they’re less likely to be a target for hackers. However you’re never too small to be a target to bad actors.
You don’t have to be specifically targeted either to be hacked, you could simply be collateral damage of a wider attack. One tactic that hackers use is to send out widespread attacks, and without cyber security basics in place, your business could be caught out. To put it in perspective, this is how the the NHS was caught out back in 2017 in what we now know as the WannaCry ransomware attack. It wasn’t directly targeted towards them, but yet the NHS was still left crippled because of some out-of-date IT security. Unfortunately the same could very easily happen to your business.
Hackers constantly scan the internet for attack possibilities. Our own honeypot data showed that new systems put online can be found by malicious actors within just 0.3 seconds, it takes more time than that for you to blink. So a hacker won’t care what kind of business you are, just whether you’re easily hackable.
Myth: “My employees are remote so security isn’t an issue”
Fact: Remote working creates new security vulnerabilities
This myth is unfortunately heard by our consultants increasingly more often. But remote working opens your business up to new cyber risks. Your staff are working outside the perimeters of standard practises, which means you have reduced oversight. No longer are your staff working from your office premises, but now in their own homes, with their own Wi-Fi and limited access to reassurance from peers.
This is particularly prevalent when it comes to phishing attacks, an attack style that jumped by 350% in 2020. Remote working means staff aren’t able to check suspicious emails with the person next to them before clicking, which ultimately leads to more security breaches.
Remote workers also rely more heavily on the cloud, but worryingly businesses don’t verify that their cloud services are securely configured. There is also often a grey area over who is responsible for what, known as a ‘shared responsibility model’, so this creates dangerous vulnerabilities in itself because it’s unknown and untested.
Myth: “I want to focus on growth right now”
Fact: Good cyber security practises helps to power growth
Cyber security doesn’t have to be disruptive to your business practises, in fact implementing security basics can be done without any impact to your operations.
Two key defence tools are penetration testing and VA scanning. Both are low-touch and are carried out by a third party provider, meaning there’s no impact to your business activities. Likewise, training your staff is a basic but highly effective tool to securing your business, and only takes a few hours.
It’s also important to note that cyber security can actually help power your growth. It helps build your reputation amongst customers and suppliers through increased credibility. Consumers are increasingly aware of the importance of cyber security thanks to the GDPR and headline-hitting breaches which is a key reason for making cyber security a priority for your SME business.
Myth: “I don’t have budget for this – my revenue is down right now”
Fact: Cyber security is accessible for all businesses, even start-ups
Despite the benefits of good cyber security and the risks of ignoring it, our consultants regularly hear that budget is the biggest concern for SMEs. But key cyber security measures don’t have to be extortionate. Even on the Essentials package of Defense.com™, you can pay as little as £60 per month for a host of security tools, including VA scanning, staff training and a Cyber Eessentials.
VA scans can make a huge impact on your security posture by quickly identifying your security weaknesses before a hacker does. Training your staff is also a great secret weapon to have as your best defence against cyber threats is your staff. Staff that are proactively aware of security risks helps you to prevent most opportunistic attacks.
SME businesses can also certify with the Government-backed security standard, Cyber Essentials, as part of their Defense.com™ package. The certification covers 5 fundamental security controls that apply to businesses of any size.
Myth: “It doesn’t matter if I’m breached because I’m insured”
Fact: Cyber insurance is no substitute for strong cyber defences
Insurance isn’t an excuse for not having security measures in place. Particularly as it’s unlikely that your insurance would reimburse the entire cost of a cyber breach. A pay out of any kind isn’t ever guaranteed either, there are instances where insurance providers haven’t actually paid out at all. The NCSC advises that insurance companies don’t pay out for “monies lost through business email compromise fraud”. Which you guessed it, is a clear description of the biggest form of cyber attack, phishing emails.
So although insurance might help you out with a small data breach, do you really want to spend your time and resources remediating the breach, not to mention any potential reputational damage. 33% of businesses have lost customers following a breach. So preventing the breach in the first place is better than counting on insurance to fix it, surely?
Myth: “Cyber security seems so complicated”
Fact: Getting started with security basics is simple enough
It’s actually simpler for SMEs to put cyber defences in place because of their smaller infrastructure. For instance, increased use of cloud services, no legacy systems and fewer employees, means adopting security measures is far less complex than it would be for a large enterprise.
Cyber security basics, such as a penetration test, don’t have to be complicated either. They are a great way to give you a clear overview of your security position and prevent malicious cyber attacks. For instance, the British Airways and easyJet breaches in 2020 that lead to multi-million pound fines could have been avoided with a penetration test.
2. Why SMEs can’t ignore cyber security
There are various forms of cyber threats that could easily wreak havoc for an SME. Such as phishing emails, DDoS attacks, malware and ransomware. So putting it simply, if you haven’t got basic cyber security measures in place, then it’s not a case of ‘if’ you get breached, it’s down to when.
Plus, as we’ve covered already in this guide, the costs of a breach far outweigh the costs of putting basic security measures in place. Aside from the headline grabbing fines such as those for BA and easyJet, the ICO regularly fines both SMEs and enterprises alike for breaches involving personal data. And don’t forget a breach goes beyond financial repercussions. It can also devastate your reputation and lose you business. Not to mention the possibility of having to close off parts of your business thanks to the disruption and investigation efforts. 57% of businesses who were hit by a ransomware attack didn’t have a business left to salvage, so post-breach havoc isn’t always temporary either.
3. How can you protect your SME business?
For a modest investment of £60 a month with Defense.com™, you can cover all of the basics of your cyber security, as our Essentials package includes VA scanning, a Cyber Essentials certification and staff training. This will help prevent a significant amount of opportunistic attacks against your business. All in all, the best way you can protect your business is with the following guide:
1. Carry out an annual penetration test and a monthly VA scan
Pen testing and VA scanning aren’t time consuming or gruelling for your business. Plus, they help you discover your security flaws before a hacker does.! They’re more affordable than you might have thought, but the most important tip for your business is to make sure you carry out the remediation advice offered. You wouldn’t ignore an audible warning in your office such as a fire alarm, so don’t ignore your consultants advice for protecting your infrastructure.
2. Train your staff
As we mentioned earlier on in this guide, don’t look past the fact that your staff are your secret weapon. Training is a quick and cheap way of immediately boosting your security posture. You could have on-site or virtual training, but then end result is the same – vigilant staff!
3. Become Cyber Essentials certified
Having a reputable certification under your belt, such as Cyber Essentials, is a great way to highlight your credibility and build trust with customers, partners, suppliers and staff. It can also help you win new business, as you’ll be eligible to tender on government contracts. The scheme is backed by the UK Government, and is a great first step for securing your SME business.
4. Invest in endpoint
With increased remote working and staff using their own devices, the chance that a device’s security isn’t up to scratch is high. Which means having up-to-date endpoint security is a must. It’s a basic but highly beneficially step in securing your business as it will protect you against a variety of cyber attacks.
5. Manage your GDPR compliance
Enforcing basic cyber controls within your business is also a great way to help your GDPR compliance. The GDPR is a legal basis for processing data, so it can’t be ignored. The remediation efforts following a breach don’t just include that of business disruption, but financial losses, fines, reputational damage, and even the loss of customers.
Hopefully this guide has helped you see that with cyber security, there are real risks out there. But getting the right security measures in place can help your SME business to no end. You’ll be in a better position to keep your business running smoothly and focus on growth. Plus the reputational benefits of ensuring a good security foundation will show in increased business and trust. Which is why it’s key that you care about your SME cyber security.
Start securing your business today
Get in touch today to start your free trial of Defense.com™ and discover how we can help you take the stress out of your cyber security.