Often overlooked, the SME market is the heartbeat of the UK; there are around 5.5 million SMEs, which make up 99.9% of the UK’s private sector. Despite this, only 40% of SMEs and 16.8% of micro businesses hold cyber insurance. Given 61% of SMEs were hit by a successful cyber attack within the past year, this leaves millions of organisations at a big financial loss, with little to no protection in place. This blog will explore the topic of cyber security for small businesses, and outline the challenges these organisations face, as well as how these can be overcome.
Challenges
Whilst every business has its own unique challenges, my experience working with SMEs indicates that many face the same key difficulties:
(1) Lack of knowledge
Cyber Security is often seen as a “specialist” area. It can be difficult to digest the topic, and the vast amounts of threats that come with it. Importantly, most SME organisations do not have an employee exclusively tasked to manage their cyber security for them. These organisations already face a huge number of challenges, including attracting customers, retaining staff, and maintaining profit. Accordingly, cyber security is often seen as an afterthought, when the company has already become victim to an attack.
(2) Time consuming
Improving your business’ security posture may require security awareness training, specific processes and policies, or time out of your business day to commit to learning about the area. However, staff within SMEs typically juggle various roles, which makes it feel impossible to dedicate time to these tasks. Cyber Security can feel like a minefield, and knowing where to start is often the first challenge to overcome.
(3) Attracting skilled professionals
The soaring number of businesses hiring for Cyber professionals means that SMEs face the challenge of attracting and hiring the talent they are searching for. Trying to stand out above some of the big players in the market presents a real difficulty; reaching the salaries on offer, offering a competitive benefits package, creating an attractive working environment, and investing into development are all areas that SMEs typically struggle to compete with. But, there are things you can do!
(4) Associated costs
When you speak to most people about Cyber, their immediate thought is “that’ll be expensive”. Whether they are building a team, hiring a professional, or investing into tools to protect their business, the cost of cybersecurity adds up. For an SME, every pound matters, and so the costs are often more than they are prepared to spend. Whilst it’s true that cyber security can be costly, this doesn’t have to be the case. It is also important to compare the costs to some of the fines that have been well documented over the past few years.
(5) Evolving threats
Trying to keep up to speed with the latest attack techniques that hackers are utilising can be a mammoth task. When we look at the recent evolution of AI and Machine Learning, and how they are being utilised by malicious actors, trying to stay relevant and prevent these attacks can feel like a cat and mouse game. Finding out that the latest threats have moved again after you finally felt up to speed can be soul destroying.
It’s not all doom and gloom
Despite these challenges, there are ways for you to adequately protect yourselves and ensure that your SME is not one of the 61% of businesses being breached. Many solutions are not as cumbersome, difficult, or costly as you might think!
(1) You don’t need to lockdown your business
Cyber security is not about protecting every area of your business. In fact, even the largest companies in the world accept the risk of an attack within certain business areas. Once you can identify where the biggest risk to your business falls, it becomes much clearer what you can do to prevent or deter potential hackers from being able to access it.
The greatest risks often centre around customer data, intellectual property, and financial records. If you take steps to protect these assets, hackers will likely move on to another target once they realise they are unable to unlock this through your systems. If you were a big corporation, they might continue to try different techniques. However, with SMEs, moving onto another organisation who has not taken these preventative measures is often seen as a better use of their time.
(2) You have access to Open Source tools
You’ve seen the cost to invest in security tools, right? Yes, they add up and can be a huge barrier to entry for the SME market. But, have you looked into free and open source tools? Most people struggle to name them, but they are out there, and ready to support your business.
These tools can give you key insights into how hackers view your business, and highlight the areas of your business that are currently exposed to malicious hackers. Importantly, they can do this for free, or at a fraction of the cost you may be accustomed to hearing. If it’s going to protect your business and make it more resilient, what are you waiting for?
(3) Follow the right Policies or Accreditations
Do you have any policies in place within your organisation? Are any of these guided by information security? Following policies and creating an environment where your staff adhere to the correct standards is not always the most glamorous thing. However, for something that could sink your business overnight, it’s becoming almost impossible not to do.
These policies do not have to be the most stringent; some policies like Cyber Essentials are self certified, and therefore do not require an external audit. Such policies are important, because they raise Cyber awareness within your business. Further, they reassure your customers that you are working to secure your IT systems. If you can see the benefits to your business, maybe consider Cyber Essentials Plus or ISO27001 (amongst others). We are certified to these standards and can walk you through it.
(4) Network with professionals in the market
Networking is not a new thing. It is well known that speaking to professionals in the industry can really open your eyes to the bigger picture. This will offer insights that without networking, you may not have considered or known!
Networking can be such a valuable tool for learning and developing in areas that you don’t feel too comfortable in. Given IT is the fastest growing sector, you will likely have a friend, relative, or colleague working within the industry. Are you utilising their knowledge, and if not, why not?
(5) Find a trusted partner
Most organisations have a trusted partner, whether that be for legal guidance, payroll support, or technical advice. At Mondas, we have seen that having a trusted security partner is essential to the health of a business. However, finding one that understands the challenges that SMEs face can be difficult.
Whilst this is not a sales pitch (okay, I might work in sales), it does seem the perfect opportunity to talk about Mondas. Our mission is to provide SMEs with the same threat protection that large corporations have been benefiting from for years. We recognise that every business has its own challenges, so we want to understand what is important to you, and help you to tighten your security controls using our basic framework. This won’t cost the Earth, and will be tailored to your business. Talk to us today if you would like to find out more.
Conclusion
When we look back at the stats at the beginning of this blog, it is easy to understand why Cyber Security is often met with a “grunt” or “sigh”; many of the figures used appear on the first page of Google when searching cybersecurity. The industry is often associated with fear mongering, which makes you think you need complex and costly protections. Whilst it’s true that it can be a scary thing to imagine your business being breached, the barriers to prevent this are far more achievable than many of us think, but you won’t find that on the first page of Google!
Knowledge is power. Gaining knowledge in the areas that matter to your business puts you on the road to achieving better cyber hygiene. Every business has risks they are prepared to take, so it boils down to the risk appetite of your organisation. For some, this is greater than others, and that’s okay.
If you have not thought about cyber protection before, I hope this blog has given you something to consider. If you want to talk about any of the points throughout the blog, please feel free to get in touch.
