Small in size, large in number
In 2016 there were just over 5.4 million UK SMEs (less than 250 employees) generating £1.8 trillion of turnover, which was 47% of the UK’s private sector turnover. Yes, we did say ‘trillion’.
Of those SMEs, 5.3 million are designated as micro businesses (less than 10 employees). These micro businesses exist literally everywhere in the UK. Chances are you are reading this article because you own or work for one of them.
SMEs, then, are most definitely an important part of the UK economy.
Appetite for Destruction
No, we aren’t talking about the hit 80’s rock album. There is an increasingly urgent issue facing SMEs in the UK. Very few of these businesses are taking cyber security and data protection seriously.
Considering how life can be tough for small businesses, they need all the help they can get – but solid advice and guidance on the risks of not managing their data properly seems to be sorely lacking.
I often hear small business owners tell me that data protection isn’t high on their radar, that they don’t have the time or budget to invest in specialist advice or cyber security software, it just isn’t a big enough issue for them to worry about.
But here’s the thing – small businesses are exactly the kind of businesses who need this security and specialist guidance.
According to Hertfordshire Police’s Cyber & Financial Unit, 45% of SMEs identified cyber security breaches in the 12 months prior to their May 2017 survey – those were just the ones reported.
Source: Cyber Security Breaches Survey 2017, Micro/Small Business Findings, Cyber & Financial Unit, Hertfordshire Police
There’s a high chance your business has suffered some form of cyber or malware attack recently that you aren’t even aware of. Here’s a breakdown of the kind of attacks SMEs suffer most from:
An attempt to gain sensitive information, such as usernames, passwords, banking details. Typically these attempts disguise themselves (often quite cleverly) as a company or contact that is known to your business or staff. There are targeted attacks to specific personnel, known as spear phishing, or for senior executives, whaling.
Where a hacker gains account details and login credentials, and uses them to take over control of an account. These can often be gained from large companies who suffer a breach, and are then posted online in massive lists or sold on by hackers to other malicious cyber criminals.
This is malicious software (hence the shortened name ‘mal-ware’) that is used to gather sensitive information, monitor keystrokes, disrupt your computer or gain access to private systems. Malware can take the form of trojans, worms, spyware, adware and scareware. It also includes Ransomware.
Ransomware restricts or denies you access to your files, effectively locking out your computer until you pay a ‘ransom’ to unlock it. You’ll no doubt be aware of the recent WannaCry attack – it’s always a risk to pay the ransom, and not cheap to do so (Bitcoin is the payment form of choice, and the exchange rate varies wildly. You’ll immediately wish that you had bought some strong cyber security software). You also don’t know where the money is going. But you’ll likely get your files back. Word would soon spread if people didn’t, and then the scam would cease to make any more money.
This is nastier than it sounds in a cyber security context. Targets are persuaded or psychologically manipulated into actions that will give away confidential information. This often happens by sending an email pretending to be a Director, and requesting a payment be made immediately – it’s usually enough to frighten admin staff, but you’d be surprised how easily even senior managers can get caught by this one.
Why target SMEs?
Usually cyber attacks are not personal. Malicious software packages are often placed onto unsuspecting and perfectly normal websites, which then attach themselves to visitors and then go off hunting for weak spots and back doors.
Smaller businesses are vulnerable usually because they fail to update system patches for Windows software, and because they don’t tend to spend money on cyber security software or systems. Smaller businesses are easier to hack due to email systems, admin profiles and password practices are simple or outdated.
Additionally, people who work in smaller businesses are far more likely to mix personal and business use on their mobile devices. How many of us use private VPN when using free wi-fi in public places? Or have installed enhanced security on our mobile devices?
We want easy fast access, not to have to enter passwords and passcodes every time we open an app. A little bit of education can go a long way to saving heartache and business loss down the track.
Appetite for Risk
At any given time, an SME or sole trader business is likely to have funds in their bank account – ask yourself how much of that you can afford to lose or have stolen? A few hundred? A few thousand? All of it?
Answering this question will give you a clear idea of your appetite for risk. And if that appetite is low? Then it’s time to factor in cyber security and protection of data – yours own company’s, your employees’, your customers’, and your suppliers’ – into your budget before you find it’s too late.