Small firms are unfairly carrying the cost of cyber crime in an increasingly vulnerable digital economy, according to a new report from the Federation of Small Businesses (FSB).
The report, ‘Cyber Resilience: How to protect small firms in the digital economy,’ suggests smaller firms are collectively attacked seven million times a year, costing the UK economy an estimated £5.26 billion. Despite most small firms (93 per cent) taking steps to protect their business from digital threats, two thirds (66 per cent) have been a victim of cyber crime in the last two years. Over that period, those affected have been victims on four occasions on average, costing each business almost £3000 in total, the FSB suggests.
Mike Cherry, FSB National Chairman, said: “The digital economy is vital to small businesses – presenting a huge opportunity to reach new markets and customers – but these benefits are matched by the risk of opportunities for criminals to attack businesses.”
According to the federation, cyber crime costs small businesses disproportionately more than big businesses when adjusted for organisational size. Currently the responsibility largely falls on small businesses to protect themselves. The FSB is calling for more support to be given to those smaller firms.
Almost all (99 per cent) of the UK’s 5.4 million small firms rate the internet as being highly important to their business, with two in three (66 per cent) offering, or planning to offer, goods and services online. Without intervention, the growing sophistication of cyber attacks could stifle small business growth and in the worst cases close them down.
Mike Cherry added: “Small firms take their cyber security responsibility very seriously but often they are the least able to bear the cost of doing so. Smaller businesses have limited resources, time and expertise to deal with ever-evolving and increasing digital attacks. We’re calling on Government, larger businesses, individuals and providers to take part in a joint effort to tackle cyber crime and improve business resilience.”
Comments
Geoff White, underwriter at Lloyd’s, said: “Many UK businesses are not aware of how exposed they are, believing they are too small or have nothing worth stealing to be a victim of a cyber-attack. However, technology is so fundamental to how businesses run that cyber is a risk regardless of size or industry. This research highlights that shocking reality.
“There’s no such thing as perfect cyber security, and with the introduction of the new EU regulations small businesses will be financially impacted. We know it’s now a matter of “when, not if” a company suffers a cyber-attack or breach, but they shouldn’t be company-ending events. Businesses should look into a wide protection, including cyber insurance, to protect their balance sheet and help get them back on their feet.”
Stephen Love, Security Practise Lead – EMEA, Insight, made the comment that the fight against cyber-crime needs to be collaborative. “When trying to protect itself against malicious attacks on its network, a small business finds itself in a David versus Goliath situation. But work with thousands of other small businesses, enterprises and the government, soon the small business becomes the goliath.
“However, no business should rely on the actions of others. It’s too easy to let others fight the fight without getting your hands dirty. No matter their size, small businesses need to take proactive steps to protect their assets from cyber-criminals. This includes something as simple as updating operating systems. You will be surprised how many small businesses are still running old operating systems on their IT networks like Windows 2003. Any servers still running this programme cannot host new antivirus software and remain unpatched, so are vulnerable to attacks.
“Additionally, small businesses should keep a closer eye on education its employees in order to prevent data breaches. Increasingly, ‘human error’ is becoming the biggest threat to the protection of an organisation’s data assets – seemingly harmless emails sent with documents that shouldn’t be shared, or credit card details. Data Loss Prevention (DLP) solutions can be used to prevent this by blocking the emails before they are delivered to the employee. The systems alert the IT team, who should then review the content of the email and the intended recipient before allowing its delivery.
“Collaboration is definitely key in the fight against cyber-attacks. However, this means every business needs to be doing everything they can to put the most effective processes and solutions in place to protect themselves, and not wait for someone else to win the battle.”
And Andy Herrington, Head of Cyber Professional Services in UK and Ireland at Fujitsu, said: “The fact that small businesses are the target of 7m attacks a year should come as no surprise as many small businesses have developed through their digital footprint, and digital will continue to be one of the major factors in small business development and growth. In addition, small business are often part of larger organisations’ supply chains and are therefore a target entry point. Many small businesses may not see themselves as a target due to their size, but size does not matter.
“Industrial strength security may appear to be the preserve of the enterprise, but successful small businesses will recognise the issue and should see good basic security practice as being a ‘differentiator’ for them as a supplier and in building the trust of their clients.
“To combat today’s threat, small businesses should take a proactive approach when it comes to security. Implementing a basic security framework through understanding the threat will allow them to get on the front foot in combating attacks, ensuring that these threats don’t come to pass. In parallel, small businesses need to look at embedding baseline security education early on to ensure everyone is engaged and part of the overall organisational resilience. This should also be seen as an investment in the company’s growth plan as getting good security practice baked in when you are small is better than trying to applying it to a much larger organisation, as you can set the culture early on in the company’s lifecycle.
“A good place to start is the UK Government’s 10 steps to security, the Cloud Security Alliance or the SANS Top 20.”
David Navin, Head of Corporate at web security product firm Smoothwall, said: “It is incredibly worrying that two thirds of smaller businesses have been victim of cybercrime in the past two years and more definitely needs to be done. Many simply don’t feel they are at risk from cyber attack – feeling bigger brand names are more in the firing line. While in some cases, SMEs don’t feel they hold enough valuable data to be a target. They are wrong. SMEs are a very attractive target to a hacker. Not only are they often part of supply chains and could therefore provide hackers with a way in to attack larger companies, but they also don’t tend to have the same level of security in place as their larger counterparts. This means SMEs are not only an appealing option to hackers, they are often an easy one.
“SMEs must act to protect their data and that of their partners, complying with regulation and building layered security defences spanning encryption, firewalls, web filtering and ongoing threat monitoring. While security regulation may not always directly impact SMEs, often directed at large organisations, they must take a proactive stance. Not only will it protect them now – but if they are seen as a security weakness, they will be a less attractive partner for large companies. Suddenly, security impacts SMEs bottom line and growth prospects. In taking a smarter approach to cyber security, SMEs protect their future – readying themselves for growth and making themselves a watertight part of a cyber defence strategy.”
