When it comes to cyberattacks, the news is littered with stories of big business beasts falling foul to hacks, from TalkTalk and Yahoo to Uber and Equifax, the global credit-referencing agency. The average small business owner could be fooled into thinking that their own enterprises simply are not worth hackers’ time; unfortunately, this is simply not true.
The common misconception that smaller businesses are not worth attacking can result in a more lax attitude to security among SME leaders. Unfortunately, this attitude is their downfall, as the “economies of scale” here can still make sense: a thousand SMEs that all struggle to upgrade their operating systems make a juicy target; equally, a million staff members who all use “password123” as their password can make quite the payday for the entrepreneurial hacker.
But defending your business needn’t cost the Earth and is often a fairly simple process.
To start, business owners should pinpoint the easiest potential points of access and work from there. Two-factor authentication and asking staff to create strong passwords – by choosing three random words that aren’t easy to guess and ensuring they use a separate password for work accounts – are essential security measures. The Government’s Cyber Security: Small Business Guide contains further useful advice.
Along with a lack of basic technical security measures, another business weak spot is often human. It’s worth noting that many SMEs find themselves on the receiving end of lots of email scams, as well as scams making use of commonly held security weaknesses.
As Christoph Rieche, chief executive of online FinTech company iwoca, puts it: “The majority of attacks we see rely on a human taking some sort of action, whether that’s clicking a link or opening an attachment in an email because they assume it’s legitimate.
“Phishing and ransomware attacks are common but are not complex, so understanding what a potential attack looks like is key to preventing one.”
For this reason, getting the basics right, educating staff and building a culture of security often makes more sense as a starting point than investing in expensive software or hardware. After all, for attackers, there is never much need to attack a defensive structure like a firewall when the front door is wide open.
Of course, easy access isn’t the only reason SMEs can make a juicy target. Understandably, SMEs often lack necessary in-house experience of dealing with cybercrime, which can put attackers at an advantage they wouldn’t necessarily have with larger companies. In cases involving ransomware, for example, this may mean SMEs face paying attackers in favour of paying for external security consultants.
As Dr Mike Lloyd, chief technology officer at RedSeal, notes: “Large organisations can afford dedicated staff to focus on separate disciplines in security – from vulnerability management to audits to risk management and incident response.
“Unfortunately, these distinct areas require distinct training and skillsets. For SMEs, you simply can’t find people who can wear all these hats at once.”
Of course, taking simple security steps and taking time to understand the risks can significantly bolster an SME’s defences. And businesses need to act fast, because the financial ramifications for not doing so are real: with GDPR (General Data Protection Regulation) becoming law on 25 May 2018, businesses could face fines of up to £17m, or 4pc of their global turnover – so a serious breach of user data could put a small company out of business.
That’s before you consider the additional damage a company could face; a survey of SMEs by analyst KPMG revealed that 89pc of small businesses that were hacked faced reputational damage and 30pc actually lost clients as a result.
Ultimately, the reason SMEs get attacked is simple: money. With economies of scale afforded by widely scattered cyberwarfare, cyberattackers can, and do, make good money from SMEs.