SMEs Time to Wake up from Your Cyber Hibernation5 min read

SMEs Time to Wake up from Your Cyber Hibernation

‘This won’t happen to us!…Who wants to hack us?…Why? We are nobody!’ That is what most of small and medium business owners and managers have believed in for the past 15 years. Till few years back, I would reluctantly agree with them, from a business point of view. But not anymore.

The landscape of cyber risk and threats has been changing rapidly within the past couple of years. Cyber criminals are increasingly targeting small and medium businesses. Almost 80% of small and medium business in the UK have been compromised or breached since 2014, according to the UK department of Business and Innovation. The average cost to recover doubled last year from its previous figure and is reaching an average of £75,000 to £355,000. These are surprisingly high and worrying numbers for a nation, in which SMEs represent more than 90% of its business sector and add an average of 48% to its economy.

This increase in cyber risk and threats to small business is noone’s fault except themselves. Cyber criminals prey on the knowledge of SMEs having low cyber defences due to the lack of financial and human resources. Sometimes, cyber criminals use them as a channel for a bigger prize, if they are contracting with larger business who are harder to penetrate their cyber defences in short span of time.

SMEs need to start to accept and understand the rise and severity of cyber risks and threats. This is becoming a more pressing matter for small and medium business management in the next 18 months. Otherwise, they will have to face fines of €20 million or 4% of their annual turnover if they do not comply with the European Union Data Protection Regulation and cyber security law. Reading the regulations and standard documents will, most probably, put business owners and managers off due to their complexity, thanks to their contracted nouns and legal jargon, as well as the perception of acquiring high cost through the compliance process. The complexity issue is true to an extent, but the cost part is more of a myth than reality. Small and medium businesses can shed the cost by adopting and implementing few simple steps that can help them reduce their cyber risk and threats, such as:

• –  Strength users’ passwords: Businesses can increase the complexity of their users’ passwords. For example, avoid using default passwords for systems and applications, change user passwords every three months and make user password more complex by using two or three random words together with numbers and special characters.
• –  Improve the protection of the business devices: Installing antivirus- and malware software across the business computers, laptops and smart phones can reduce the risks of virus and malware infections. Keeping these softwares up-to-date with vendor updates plays a crucial role in reducing these risks.
• –  Keeping the business digital systems up-to-date: Businesses need to keep all their systems, applications and software patched with the latest updates the vendors offer. This is important as most of them include security updates and enhancements that will keep your system running efficiently.

• –  Share cyber risk ownership with your staff: Businesses are advised to communicate the changing cyber risks they face and their severity to all their staff, and explain how they can help the business reduce this risk and safeguard itself from cyber threats. Ask them to hold ownership and responsibility to the risks and threats they can inflict on the business due to misuse of the business systems.
• –  Hire cyber security and compliance advisors: Small and medium businesses lack financial resources as all is focused on the business’ core functions. This needs to change, but not dramatically. SMEs can hire experienced cyber security and compliance advisors who regularly check the business cyber risk and compliance posture, advise and help them to improve it as well as stay competitive. Such advisors are not required to be there all the time, they can visit the business once every week or fortnight. There are a number of organisations out there, offering such services that span from building a value based partnership where they offer their expertise and knowledge for adequate fees to helping other business stay safe.
• –  Seek government support and advice: The UK government, across it is Business and innovation department, Culture, sports and media department, GCHQ, and others, publish annual statistics and reports about the latest cyber risks and threats SMEs might face and how to be prepared. Moreover, the UK government created Cyber Essential Scheme, which is a security hygiene scheme that helps small and medium businesses reduce their cyber risks and threats by subscribing to and using government’s financial aid to adapt and comply with its security controls and standards.Burying your head in the sand won’t keep your business safe for a long time. Small and medium businesses need to wake up from their cyber hibernation, accept the reality, try to understand it and its impact on their business, seek expert advice and governmental help to stay cyber safe, and reduce their cyber risks. Cyber security and compliance should not be perceived as cost centres by business owners and managers. They should be seen as revenue centres that allow business processes to run securely and efficiently. This will help the businesses build a trust relationship with their clients, due to their compliance with data protection regulation, like EU GDPR as well as cyber security schemes and standards, such as Cyber Essentials and Cyber Essentials Plus. Accordingly, the business will have a stronger brand in the market and a competitive edge over its rivals.

  Shadi A. Razak
  Cyber Security and Compliance