The Department for Digital, Culture, Media & Sport (DCMS) published their cyber security breaches survey for 2019 on 3 April showing good progress but highlighting more action is required.
The results show that medium and large businesses are ahead in their focus on security, yet the statistics show 31 per cent of micro/small businesses identified cyber security breaches or attacks in the last 12 months.
We looked at the reasons why cyber security isn’t as high of a priority for small businesses and have explored ways in which we can overcome them. The three main reasons given for small businesses not investing in their cyber security are:
- They are too small
- Not seeing it as a risk
- Not prioritising cyber security
Statistics show that small businesses are at risk of cyber-attacks so why is it still a common misconception that they are ‘too small’ to be a target?
There’s more money to gain by targeting a larger company but bigger organisations are making cyber security a top priority and so are not as easy to infiltrate. An attacker looking for an easy win will have done their homework and realise that many small businesses are vulnerable.
Not a Risk?
Random phishing and malware or ransomware campaigns typically target everyone, not just large organisations. WannaCry and Notpetya are prime examples of cyber-attacks that affected companies of all sizes.
If the attacker is looking to steal intellectual property (IP) for profit, often the value of a small business’ IP, in relation to how much a business spends securing it, is higher. So it would make economic sense for attackers to go after a number of smaller business IPs versus targeting one large enterprise.
Another thing to consider is whether the small business is a supplier to a higher value target such as the government, banking or critical national infrastructure. It may be difficult for an attacker to target their end goal directly, but easy to do so indirectly by compromising their supply chain.
Not a Priority?
Cost and capability are top priorities for small businesses who don’t always have the budget or the staff to deal with security issues. But by law everybody in business has to start taking cyber security into consideration.
For example, two regulations that apply are GDPR and PCI. These need to be carried out by companies in the EU. Although the statistics show that while 88 per cent of small businesses have heard of the General Data Protection Regulation, relatively few are aware of the implications. Only 58 per cent know they can be fined for a data breach, and more concerning, only 45 per cent know they need to report a personal data breach within 72 hours.
What can you do?
There are a number of things you can do to help improve your security posture that won’t cost you anything to implement.
- Logging Made Easy (LME) is a free tool from the National Cyber Security Centre that will provide a practical way to set up basic end-to-end Windows monitoring of your IT estate. This takes the difficulty out of gathering logs, transporting the data that’s been collected and then deciding where to store it and for how long.
There are several other free options, which you can review – we've shared a few below. Please note that these are not endorsed by NCC Group or Federation of Small Businesses and you should take proper security advice before implementing any cyber security solution. Visit the National Cyber Security Centre website for further guidance.
- Encourage the use of password managers. Good free options are LastPass or KeePass. This means that their users can have strong and unique passwords for all of the systems that they use and can easily manage and remember them.
- Ensure that any operating system default firewalls such as Windows firewall are enabled and configured correctly to only allow inbound and outbound network traffic that serves a business purpose. Another free third-party option is ZoneAlarm.
- If your business needs remote access to their network over VPN, existing VPN solutions could be replaced with more secure alternatives such as OpenVPN which is free and open source.
- Implement 2 factor authentication where possible. There are multiple free options available such as Google Authenticator, Microsoft Authenticator or Authy.
- Implement full disk encryption on user workstations and servers to protect data at rest in the event that the computer or hard drive is stolen or lost. Bitlocker comes for free with Windows and you can use FileVault for MAC.
- Install ad blocking and browser security software on users’ web browsers such as AdBlock, AdBlock Plus and NoScript.
- Ensure that regular backups of key data are kept. Free tools that can help with this are Bacula, Iperius Backup and Carbonite.
- Windows Defender antivirus offers comprehensive and real time protection against threats like viruses, spyware and malware, across the web, email, the cloud and apps. It was installed by default from Windows 7 onwards. But, Defender like all antivirus software can only detect malware that it knows about so it needs to be updated.
- Regularly updating Windows will help patch known security vulnerabilities in Windows software as well as update the anti-virus definitions for Windows Defender.
- NCSC offer free cyber security advice, they support the most critical organisations in the UK, the wider public sector, industry, SMEs as well as the general public.
Budget has to be a high priority for small businesses, that’s understandable, but basic security hygiene such as patching and anti-virus isn’t expensive and there are a number of free tools available (although note our guidance on ensuring you take proper advice before implementing any cyber security solutions).
For small businesses a successful cyber-attack can be an existential issue so an increased focus on security is of utmost importance.
As always, if you have a legal query please get in touch with the FSB Legal Helpline on 0345 0727727 and we'll be happy to assist you.