One-third of SMBs have no cyber security strategy in place
Cyber security a ‘top’ priority for SMBs but statistics and reports suggest otherwise
Despite the news, statistics and reports, many small and medium-sized businesses (SMBs) are still woefully underprepared for cyber attacks.
For many SMBs, the idea of being the target of cyber crime is a far-fetched fantasy. These SMBs feel that, because they are ‘small’ and have ‘no information of value’ they are an unlikely target and, as a result, don’t invest in cyber security.
But it’s because of this dangerous mindset that it’s now easier and cheaper for cyber criminals to target SMBs. More so than any other size organisation.
According to the Verizon Data Breach Investigation Report (DBIR), which looked at nearly 42,000 data breaches across 86 countries, almost half of the incidents (43%) involved small businesses. Furthermore, research by insurance company Hiscox revealed that small businesses are the target of 65,000 attempted cyber attacks each day.
“Smaller companies which view cyber security as an overheard are increasingly being left exposed to attacks from opportunities hackers,” says Glenn Attridge, Head of Cyberdefence and Security Response at RBS. Indeed, it’s become glaringly obvious to hackers that these businesses are unprotected – despite the current landscape.
The fact is that cyber criminals are investing in and utilising increasingly sophisticated methods of attack – and some SMBs are blissfully unaware.
Cyber security solutions are not silver bullets
Whether it’s because of budgets or awareness, the fact remains that SMBs are underprepared.
Research by Business in the Community (BITC) revealed that almost a third of small businesses have no cyber security strategies in place – and just over a third have a basic data protection policy.
Maybe cyber security strategy isn’t at the top of the business agenda. Maybe it is. But the fact remains that a consolidated effort – a business-wide effort – needs to be made to improve online protection.
SMBs also need to bear in mind that the acquisition of cyber security solutions (while important) is not the silver bullet they think it is. In many instances, good cyber security starts with solid strategy, employee awareness and regular training.
For example, it’s a well-known fact that employees are often the weakest link in any business’ cyber security (after all, the vast majority of cyber attacks are perpetrated through phishing).
So why not start there?
Compared to the average cost of a cyber breach (£65,000 for small businesses – including damaged assets, financial penalties and business downtime), it costs businesses significantly less to send employees on a cyber security course or have an expert deliver a training programme.
Learn to walk before you run
“…as with anything in IT and cyber security, an exceptional technology operated by untrained and undisciplined people following not-so-well thought through and documented processes is bound to fail. Even worse, a false sense of security could mean a higher likelihood of successful attacks.” – Vladimir Jirasek, Foresight Cyber, Security Think Tank: Walk before you run.
When it comes to cyber security – any cyber professional will tell you that it’s more important to get the fundamentals right first.
This means training employees so that they have an awareness of and understand cyber security, developing processes and policies and eliminating as much of the human element as possible.
Not only will this save you money, it’ll also help you to get employees up to speed. Over time, those employees will become your cyber security champions and teach new hires, so you don’t have to. Suddenly cyber security becomes part of the business – not an arduous task that no one (except IT) is bought into.
Think like the enemy
Once strategies, policies and training are in place – employees need to think like the enemy. Remember, the nature of cyber crime has changed. Technology has made it difficult for cyber criminals to use brute-force attacks, so they’re having to sneak past defences.
Nowadays, things like phishing and man-in-the-middle attacks are much more effective due to their subtlety. These attacks are much harder to protect against and even harder to detect once a cyber criminal is in.
Given that these are a few of the most common methods of attack, business employees need to start thinking like cyber criminals if they are to protect business data. Ethical hackers, for example, have been around for years but their expertise and knowledge must be shared amongst the entire business.
A good cyber security strategy will enable employees to understand:
- How cyber criminals can exploit a business network
- What methods of attack a cyber criminal can use to gain access (and which are the most common)
- How these methods can be protected against
Furthermore, as these employees become more knowledgeable and skilled, the inclusion of a cyber security solution bolsters their capabilities rather than trying to plug gaps. They start to use the solution, rather than rely on it.
Investing in cyber security is more than just investing money
Developing a robust approach to cyber security requires so much more than just money and the points outlined in this blog should help you to understand that.
So, before you feel compelled or even coerced into buying a cyber security solution to defend your employees and business data – ask yourself: do you have the right strategies and policies in place, and are your employees prepared to begin with?
There’s no shame in saying no. Most SMBs are in the same position but you have one distinct advantage: you’ve read this article.
So if the answer is no, maybe it’s a good thing you’ve yet to invest. Use that time to improve your business’ cyber security strategies. Lay a strong foundation you can build upon, so when you do get the technology, you use it – rather than it using you.