How small businesses are coping with cyber threats

While incidents of cyber attacks against big firms such as KFC, The Royal Mail, and the UK police have hit the headlines, florists, charities, healthcare providers and other small businesses are no exceptions to a data breach.

In fact, in the past year, 48% of small and medium businesses suffered a cyber security incident, and 25% of SMBs experienced an attack more than once according to a new report from Sage, a firm that provides accounting, financial, HR, and payroll technology for SMBs.

While three-quarters of small to medium businesses worldwide interviewed for the report claim to regularly review their cyber security, according to Sage’s report this confidence is misplaced, as seven in ten still see threats as a major concern.

“SMBs are the ones innovating, they’re the ones providing new services, they’re the ones responding to their communities around them,” acknowledges Sage’s director of cyber security awareness and engagement, Sophie Adhami.

With smaller organisations, explains Adhami, work environments make for “a really interesting dynamic”.

In comparison to large organisations that may have entire teams and third parties dedicated to keeping the firm protected, it’s on those who may have never thought about cyber security prior to starting a business to gain the knowledge and set up their defences.

“What we’ve realised is that SMBs are facing an increased threat with lower resources to address them,” Adhami says.

Speaking at Sage’s launch of the report, deputy director of cyber resilience in the UK government’s department for digital, culture, media, and sport, Emma Green, said “This is the first year that we actually saw a decrease in the number of incidents that were being reported by businesses and charities.”

This finding, added Green, took the department by surprise. “Then we looked at it in the context of the other results from the survey,” she added, “and across the board, we saw that the small business community was deprioritising cyber as an investment activity.”

Those that were investing in cyber security, however, reported an increase in the number of incidents, so the report concluded that with SMBs, the incidents were happening it’s just that these businesses simply don’t have the systems in place to recognise when an cyber incident has occurred.

How are SMBs currently protected?

According to the report, about one in five SMBs rely solely on basic controls, about 60% of SMBs back up their data, and not all have put processes in place to manage cyber security for remote workers, with 80% of SMBs with those yet to put processes in place.

The report acknowledges that even the “basic” cyber security measures can be a complex set up, with foundational aspects of cyber security including system patching, backing up data, access controls, two-factor authentication, asset oversight, and security monitoring, which all require specialist skills to implement.

Speaking at the report’s launch, Kathryn Heath, a finance administrator for St George’s Church in Leeds said that managing cyber security “feels quite chaotic”.

Heath explained that she didn’t feel confident enough to ask informed questions about cyber security. Even now, she added, “I’m beginning to feel like I know just enough to be really concerned about something that wasn’t even on my radar.”

“For instance, before talking to the person responsible for the security of our systems, I didn’t feel well informed about how complex our systems were, with the cloud, the data storage, the drives, and the bespoke software we are running.”

The findings of the report also unveiled that 46% of SMBs don’t employ firewalls, even though 84% claim familiarity with them.

Cindy Cleasby, a spokesperson from private care firm, Roche Healthcare, explained at the event that introducing such security measures meant a large investment: “To bring in certain firewalls, we’re having to re-cable the building.”

“We’ve had new servers, new computers, and new laptops, and now we’re cabling,” Cleasby said. “It’s been a big expense for our company.”

Over 40% of the respondents to Sage’s report say economic uncertainty and the current cost of living has reduced cyber security budgets, which may explain the lack of investment Green noted earlier.

To tackle this, Green says that SMBs need to “make sure that they are managing their cyber risk as a business risk.”

Green, and Adhami, stated that firms needed to start implementing cyber security awareness in their company culture as the first step towards making their firm more protected.

Currently, 15% of UK SMBs only discuss cyber security when something goes wrong.

“Creating that culture of risk awareness from the top and making sure that everybody in the organisation feels some accountability to be reporting things such as phishing emails, and anything that doesn’t look right, is a really important way of finding where the attacks are likely to happen,” Green says.

Ben Aung, chief risk officer at Sage, recommends UK businesses to sign up for ‘Early Warning’ – a free government service that helps detect hacking activity on a business system and also points out vulnerable services and programs running on a business’s assets.

Green concluded, “I think it is unrealistic to expect that all organisations are going to be able to protect themselves indefinitely.”

But her answer is: “Build your systems, isolate the problem, and make sure that you’re able to continue your business as usual, because ultimately the most important thing is resilience.”

To see what your business can do to help prevent against a cyber attack, click here