According to a recent study, cybersecurity incidents cost the UK SMEs £8.8 billion last year. That’s a lot of money and it’s a lot of incidents. The report from cyber-insurance firm Gallagher found 1.4 million UK SMEs were affected by a cyberattack or serious incident, with incidents costing businesses an average of £6,500.
While the threat is very real that is not the most concerning issue, according to a report from Business in the Community. The report found that nearly a third (30 per cent) of small businesses have no cybersecurity strategies in place. By comparison, only four per cent of medium-sized enterprises lack cybersecurity strategies.
Many SMEs think they’re too small to be a target, but the data suggests otherwise. Forty-two percent of SMEs have experienced at least one cyberattack or incident in the last 12 months. An SME can be the target of a cyberattack itself or it can be an intermediate step for a larger attack. One of the largest data breaches in history, when attackers compromised 110 million Target customers, started with an SME. The attackers gained access to an HVAC contractor servicing Target and used stolen credentials from that contractor to gain access to the retailer and perpetrate one of the largest breaches in history.
Make the most of what you have
It is common that SMEs think of cybersecurity resources, whether software, hardware or staff, as a net cost and try to minimise the spend. If cyberattacks don’t happen, it can be easy to think those expenditures aren’t delivering value. However, consider the potential costs of a breach:
- Business disruption: A business may spend days, weeks, or even months cleaning up after a breach. Without substantial cash reserves, this can strain SME finances.
- Data loss and regulatory fines: An increasing number of privacy regulations, including GDPR, HIPAA, CCPA and PCI DSS carry penalties for a business that is found to be non-compliant, meaning a breach can be even more costly.
- Intellectual property losses: A company’s IP may represent a huge portion of its value.
- Reputational damage: Word of mouth can make or break an SME. A breach can cause customers to shift to competitors.
- Third-party relationships: If a company is compromised, suppliers and clients may decide the risk of doing business is too great.
Yes, the cybersecurity threats to UK SMEs are real and are already costing billions of pounds. The good news is that there are simple steps that can substantially reduce the risk. And unlike large corporations, SMEs are often flexible enough to implement the changes they need quickly, once a strategy has been chosen. Getting the basics right need not cost a fortune. The Business in the Community report offers five suggestions that can improve cybersecurity significantly:
- Use firewalls to secure internet connections
- Choose the most secure settings possible for devices and software
- Control access to data and service with passwords and specific user accounts
- Use up-to-date antivirus software and staff training to reduce risks
- Keep all devices and software up to date with relevant patches
One point in that list that probably needs more emphasis is staff training. Large corporations will have dedicated cybersecurity teams. Conversely, SMEs have more limited resources. Training every employee to understand cyber risks and best practice can multiply the effectiveness of cybersecurity initiatives significantly. Training alone is not enough, though – once trained, staff must be incentivised to put their training into practice.
Cyber risks aren’t going away. It’s essential that SMEs form cybersecurity strategies that will put that £8.8 billion back into their coffers.