Business in the Community (BITC) is claiming that small businesses are the key to preventing data breaches in the future. It’s relatively easy to blame small businesses for their cyber weaknesses. The cost and complexity of deploying a secure environment along with the lack of skills and problems educating staff all play their part. However, by ignoring the small businesses in the supply chain larger organisations leave themselves open to a supply chain attack.
The BITC claim is built on a report entitled: Would You Be Ready For A Cyber Attack? The underlying survey was carried out online by YouGov in November 2018. It polled 1,003 adults in small (less than 40 employees) and medium (50-249 employees) business. 80% of respondents came from small businesses. The survey was also spread across the UK and across different types of industries. As reports go, it gives it more legitimacy than most reports we see at Enterprise Times.
Amanda Mackenzie OBE, Chief Executive of BITC said: “While it’s often big companies which hit the headlines as victims of digital crime, when a small business is struck by a cyber attack decades of hard work can be erased in moments. The business owners suffer. The supply chains suffer. Most of all – communities suffer.”
Key findings show the challenges for SMBs
The key findings show that SMBs really are struggling to secure data and systems. The chart below shows just Some examples of this are:
- Basic data protection policy: only 35 % of SMBs have one. 34% of small businesses have created one while medium businesses have done better.
- Access control to systems: Just 29% of SMBs have a policy to control this. This differs by size with 50% of medium-sized businesses have a policy compared to 23% of small businesses.
- 25% of SMBs have NO cyber security strategies. The detail shows that medium-sized business are better than small businesses.
Of the other details in the image above, the lack of a strategy and cyber risk assessment are worrying. These could result in SMBs losing business. It is becoming commonplace now for very large companies to ask to see such things as Anti-Slavery Policies and Equality Policies. It is not unreasonable to expect them, as part of their own cyber insurance, to extend this to ask about cyber risk policies and cyber security strategies.
Those SMBs that have and can evidence the existence and implementation of these things could begin to see a greater engagement with some large organisations.
What can SMBs do?
The general advice for SMBs is still pretty much the same as it has always been. This includes:
- A strong password policy and, where possible, the introduction of 2-factor authentication.
- Limit user privileges to minimise damage during a breach. Cyber criminals often rely on stolen credentials. If the user has access to everything then any breach is a potential disaster.
- The use of daily backups is increasing. Many companies seem to be taking advantage of the cloud to do this. However, what wasn’t asked is what that backup service is. There are a lot of people who think storing their data in Box, Dropbox, OneDrive or similar services is a backup. It is not. These are synchronised services and data can be deleted by hackers.
- Make sure endpoint security software such as anti-virus software is installed and kept up to date. This is not just about desktops. It should include any device such as desktop, home computer, laptop, tablet and mobile phone that employees use to connect to company systems.
- Any device used to store company data should be encrypted.
- Apply patches as soon as they are issued. Most software vendors now have automated patching processes and employees should use them. For those who want to use manual patching beware. Cyber criminals regularly use fake updates to get malware onto machines.
- Educating users to detect phishing and other attacks is always helpful. However, for smaller organisations this can be expensive and keeping it up to date and in mind is not easy. That does not mean that it should not be done just that there is a need to find a way that works for the business.
The role of cyber insurance
The rise of cyber insurance has seen new products for the SMB. However, these should be looked at with caution. They do not add anything in terms of security. There is no audit or checking by the insurance company that the SMB has effective and well maintained cyber security processes. If there is a case where the cyber insurance is invoked, SMBs who cannot prove that they were acting responsibly could find their cyber insurance invalid.
Another reason for considering cyber insurance is the increase in the number of companies that provide cyber risk data. SMBs can often find themselves appearing very low on these rankings. This is likely to lead to higher premiums for cyber insurance. Importantly, it can also impact them when doing business with large organisations. There are an increasing number who assess the risk of working with a company based on this type of data.
One of the surprises in this survey was the number of organisations that said cyber insurance wasn’t necessary for their business. This included 30% of small and 17% of medium-sized businesses. On the positive side, cost was not seen as an inhibitor nor was the time required to organise or implement it.
The BITC advice for small and large businesses
The BITC has issued its own recommendations for small businesses when it comes to cyber security. On its website there are a number of links that provide useful information. Some of that information includes:
- Take the BITC readiness test
- Implement the NCSC cyber essentials
- Read the NCSC Small Business Guide
- Backup as regularly as possible
- Update your software
- Have a security policy
- Train your employees
- Be alert
- Invest in cyber insurance
Importantly, the BITC also calls on larger organisations to do more. There is definitely a place for larger businesses to help their small suppliers be more secure. This is in their interest and often takes far less effort than realised.
As digital transformation encourages greater integration between businesses, it is important to know that partners can be trusted. SMBs are seen as low hanging fruit by cyber criminals. A failure to help your partners be more secure increases the risk to any business.
Enterprise Times: What does this mean
Most surveys in this space are conducted with far fewer users and contain far less data. They also make generalisations that are not supported by the data. This survey and report are seemingly well balanced. They also offer some solid advice. None of it is new, however, but repeating the requirements for cyber security is never a bad thing.
The key thing for many SMBs to start to consider is what impact having little or no cyber policies will mean to them. Large organisations may see you as a risk. Worse, a data breach and fine from a regulator could spell the end of that business.