Cyber threats have become an ever-present concern for businesses of all sizes. But for SMEs in particular, managing these risks with limited resources, time, staff and budget poses a significant challenge.
Nearly three-quarters (73%) of small business owners in the US reported a cyber-attack last year, with employee and customer data most likely to be targeted in data breaches, according to research. Meanwhile, a recent UK survey revealed that SMEs here estimate an economic loss of around £123,984 from being offline for an average of four days following a cyberattack.
‘Cyber risk must be constantly managed and assessed; it’s a never-ending process’
‘Cyber risk must be constantly managed and assessed; it’s a never-ending process,’ says Tim Brimmer, founder of cybersecurity company CyberAI. ‘With 76% of attacks happening after-hours or during the weekend, it’s a 24/7, 365-day commitment.’
So, what is the ideal solution for SMEs when it comes to managing cybersecurity risk? Here are some options.
Expert support
Cybersecurity is complex. Outsourcing cybersecurity services can offer continuous protection that typically surpasses the capabilities of internal teams in small businesses.
‘Outsourcing not only enhances risk management but also enables internal teams to concentrate on other crucial aspects of the business,’ says Brimmer.
‘Certifications and adherence to local standards are important markers of a reliable provider’
He emphasises the importance of thorough research when selecting a provider, ensuring that their services align with your business model and compliance requirements. ‘Certifications and adherence to local standards are important markers of a reliable provider,’ he says. ‘Managed services offering comprehensive protection and round-the-clock monitoring are particularly valuable, providing peace of mind and allowing internal teams to focus on their primary tasks.’
Learn together
Regardless of the benefits of outsourcing, the associated costs simply aren’t sustainable for some SMEs.
Wealth-management SME Six Degrees has chosen to use a combination of in-house and outsourcing for its cybersecurity. ‘Cybersecurity is a top priority for us, owing to its close interaction with data protection,’ says COO Victoria Sena. ‘As an SME that serves high-net-worth families, it is critically important that we protect our clients’ data, as a breach could bring down the business.’
Sena has spent considerable time building out the company’s IT framework, and crafting policies and procedures around topics such as information security, disaster recovery, data protection and data retention. As with all policies and procedures, they are live documents that are amended when necessary to ensure that they are kept up to date.
‘We have a culture of “if in doubt, call it out”’
‘People are our first line of defence,’ she says. ‘Most attacks will come through our mailboxes, because even though Outlook is great at spotting and blocking obvious spam, cybercriminals are getting more sophisticated with their approach.
‘We have a culture of “if in doubt, call it out”,’ Sena adds. ‘If anyone is even slightly suspicious of an email, they will flag it to me as COO to investigate. ‘One time I found an entire Reddit page dedicated to busting a particularly sophisticated Chinese scam. More obvious examples include missed calls from a mobile number claiming to be HMRC.
In terms of ensuring the effectiveness of this method, Sena says that ‘it is mainly self-fulfilling, as staff learn from each other about the different forms of cyber-crime out there’.
Six Degrees is also supported 24/7 by an outsourced IT consultancy that specialises in Microsoft 365 management and cybersecurity. ‘The consultancy migrated us all onto Microsoft Premium and reviewed our policies and procedures,’ says Sena, adding that it is now helping the business acquire Cyber Essentials certification, a scheme backed by the government’s National Cyber Security Centre. ‘The certification will provide peace of mind that we are protected against most common cyberattacks,’ she says; the next step will be to attain Cyber Essentials Plus, which involves a hands-on technical verification of the company’s IT framework.
Stay informed
For small teams seeking straightforward cybersecurity strategies, there are solutions that can safeguard the business from cyber threats without requiring extensive training or diverting attention from core business activities.
Brimmer points to a number of cybersecurity practices that, he says, all SMEs should implement to protect their business, without significant time investment.
‘Always remember that physical security plays a major part in cybersecurity’
‘About 95% of cybersecurity issues are caused by human error, so providing basic ongoing training to employees is a must,’ he says. ‘Focus on phishing and appropriate internal processes for payment-handling and finance outcomes, and instal reputable endpoint protection software.’
Brimmer also recommends setting strong passwords and changing them frequently, using multi-factor authentication and regularly updating all software.
‘Secure all Wi-Fi connections and keep the business website secure, keep backups of all information and get cybersecurity insurance,’ he says. But most importantly, ‘Always remember that physical security plays a major part in cybersecurity.’
Sena’s organisation provides training to all employees to establish a security-conscious culture. She says they are aware that human error is one of the biggest information security threats to the business.
Whatever approach works best for the individual SME and whatever the costs, daily headlines about hacks, breaches and reputational damage make cybersecurity a question of business survival.