May 2015

WARWICKSHIRE MEANS BUSINESS

Why SMEs need to engage with cyber security

Lock circuit board

Cyber security expert Lee Campbell explains why SMEs must be vigilant

Small and Medium-Sized Enterprises (SMEs) make up 99.9% of the 5.2 million private sector businesses in the UK. A massive 99.3% of businesses are small (1 to 49 employees). The SME combined turnover is £1.6 trillion and they employ 15.2 million people, therefore the need for SMEs to service their customers is critical to the success of the UK economy.

Cyber security breaches are regular occurrences. According to the Department for Business, Innovation and Skills (BIS) the average costs of the worst breaches were between £65,000 and £115,000, up from £35,000 to £65,000 in 2012. Six out of ten SMEs suffered a security breach of some kind. Research from the government’s cyber essentials scheme found two-thirds of SMEs do not believe they are vulnerable to cyber-attacks. Further evidence is the amount of malware in email has increased.

So why target SMEs? Just like any business, large or small they have important assets required to run their organisation. This may be in the form of intellectual property (critical business information, designs and operating procedures), customer information, banking information, personal employee information and the computer systems to name a few. If these assets were stolen, compromised, modified or the business is unable to service customer requests the business operations would be impacted. For example, a lack of computing resources due to a Denial of Service (DoS) attack. The users prevented from accessing computer files in the instance of CryptoLocker (ransomware malware software). Therefore, they need to protect and safeguard these vital assets.

The business may also incur financial and data protection legislation and regulatory consequences. This may occur when in breach of the Data Protection Act or the Payment Card Industry Data Security Standard (PCI-DSS), the requirement to protect customer cardholder information.

SMEs need to engage in good cyber security hygiene and practices. They need to perform cyber security risk assessments and implement the necessary security controls based on these assessments in accordance with a cost/benefit analysis. These security controls may be in the form of malware protection, secure configuration of systems, boundary internet firewall, access controls and patch management, the five security controls as prescribed by the cyber essentials scheme.

Why don’t SMEs consider good cyber security hygiene an important business risk? A number of factors could contribute to this.

Firstly, they have more pressing issues. Small business directors and owners often have dual roles and are focusing on running the business, supplying their goods or services, paying suppliers, employees and obtaining new business. They also have the overall responsibility for the financial management of the business. If the business fails so can the owners or directors – many have invested their own personal finances into the business.

Secondly, business owners and directors don’t believe cyber criminals will target them.  They believe larger organisations and governments are the main targets. A common statement “we don’t have anything of interest to cyber attackers.” SMEs can also overlook the insider threat from employees and contractors.  Either from accidental human error or deliberate misuse. Insiders have direct access to the systems and information, they could therefore pose a greater risk to the business. Security controls can be implemented to help mitigate this risk. The bigger picture also needs to be considered in terms of the supply chain, if the SME systems are compromised it may impact other organisations (large and small) in the chain.

Lastly, smaller organisations also feel overwhelmed with the technical jargon and feel they are being sold “snake oil”. The industry needs to engage with SMEs better, although this is improving. Government web sites such Cyber Street Wise provides guidance and information on cyber security. The National Archives provides the “Responsible for Information” online cyber security training programme for SMEs. Training and education will help SMEs better understand their cyber security requirements and technical jargon.

If SMEs engage in good cyber security hygiene, practices and risk assessments this would help mitigate risks to the business, systems, information, owners and employees. It should also help improve their competitive position.

About the author

Lee Campbell has 25 years of IT experience and 15 in the field of cyber security. He is managing director of CipherSYS Limited (ciphersys.co.uk) providing cyber security consultancy and advisory services. Lee specialises in the SME sector and developed with the National Archives the “Responsible for Information” cyber security training programme for SMEs.

Find out how Warwickshire's Trading Standards have been helping companies in the battle against cyber crime.  

Comments

Have your say...

Comments are closed for this article