Small businesses are now on the front line in the fight against cyber crime. The vital position many SMEs have in supply chains means cybersecurity professionals should be doing everything to support small business leaders – for the benefit of everyone.
The number of UK businesses succumbing to cyber attacks has doubled in the last five years.
Around 1.5 million (or a quarter of all UK businesses) fell victim in 2019. This was the top-line finding from our recent ‘5 Years in Cyber Security’ report, a rolling analysis of cyber threats in the UK.
And the biggest spike in victim rates was in the small-business community. 28% of 11-50 person firms fell victim in 2015, a proportion that more than doubled to 62% in 2019.
The tactics and methods cyber criminals have used over the past five years have changed. We’ve seen a clear rise in phishing and the growing use of automated attacks – allowing hackers to launch increasingly sophisticated attacks with unprecedented scale and frequency on businesses of all sizes. Where cyber crime was once aimed at large companies, small businesses must now act to defend themselves
Are we keeping pace with cyber criminals?
Many business leaders, particularly at the smaller end of the spectrum, don’t fully recognise the threat. Or they wrongly assume that their broadband router and antivirus systems will be sufficient. Most need to do more to protect themselves.
In January 2020, 69% of micro-businesses and 58% of small companies had only minimal levels of cyber security protection in place. That means they relied on anti-virus software and basic router protection only.
However, there is evidence of change. More than a fifth of small (20%) and medium-sized (24%) businesses now discuss a range of cyber threats at board level, while the proportion of businesses taking additional steps to mitigate cyber risks has increased from 16% in 2015 to 37% last year.
But this doesn’t always translate into action. Even the simplest steps, such as having a documented cyber security policy, have been taken only by 9% of the businesses surveyed. Defences – like an intrusion-detection system – have only been adopted by 10%. And only 1 in 10 SMEs have insurance against cyber crime.
This could be because SMEs feel they won’t be a target because they are too small to interest the hackers. But most attacks are indiscriminate, driven by algorithms, which scour the internet looking for any vulnerabilities.
Criminals are targeting the weakest link
The risk of an SME lacking robust cyber security doesn’t stop with that business. Criminals study companies and the networks they interact in to find a weak link in the supply chain. This is why education for SME leaders is so crucial. Larger companies must expand their risk consideration beyond the boundaries of the organisation; they have to ensure suppliers stick to the same security principles they do – taking steps to educate and mitigate the risk if they do not.
Rather than simply guarding what’s ours, we need a cyber-security culture that means we all look out for those we do business with too. Just like herd immunity, if enough businesses are well secured, the impact of denial-of-service attacks, viruses and other attacks will be greatly diminished.
Where to start?
Practical advice shouldn’t always come with a price tag. When advising SME leaders, it’s important to remember their size and inability to take on massive infrastructure projects. Instead, promote steps towards security that are effective and achievable.
For example, people are often the route in. This is especially prevalent with the rise of phishing attacks, with near tripling of victim rates in the last five years. By educating employees on how to spot phishing emails, and promoting a culture of openness and admission of fault (before attacks can get out of hand), leaders can address a huge problem on a small budget.
This isn’t to say you can cut corners with your security, but spreading awareness of steps like two-factor authentication, password management and physically backing up data will go some way to securing supply chains, with very little effort.
The business community is only as strong as its weakest link. Those in the cyber security space can still do more to improve education among SMEs – protecting those firms and the ones they do business with.