3 DEC 2019
It's never going to be top of your list of priorities when running a small business, so how can you ensure you're protecting your company and your clients' information? We ask five experts for their views
Cybercrime is becoming ever-more complex, which is why I'd recommend not taking on the responsibility of managing your own security. These days, many SMEs don't need their own in-house experts – they can easily use the services of third-party providers, who invest huge amounts in research and operations.
Data theft is the foremost risk surveying firms face, such as having your or your clients' details stolen, but sometimes a hack can happen really unexpectedly. A couple of years ago millions of LinkedIn user passwords were stolen – and it was a long time before many people even knew it. Moreover, with everyone now having to be General Data Protection Regulation (GDPR) compliant, you may face financial punishment for losing a client's data, even if you think a hack was not your fault.
Using a specialist security firm can help you protect your systems and data against 95% of cyber threats cost effectively. It also means the threat to your firm is minimised when new ways of hacking are discovered, as a specialist firm should already know about them and mitigate your risks.
Implementing simple password policies is one of the easiest and best steps you can take. You don't need to use lots of letters, numbers and symbols – a simple password such as "bananatelephonebucket" has been found to be just as, if not more, effective.
It is easy to be blind to the nature of cyber threats and attacks. The key thing about cyber criminals is that they don't necessarily target organisations – they target software and human vulnerabilities, which are present in companies of all sizes. Indeed, hackers quite like going after SMEs because they are generally less aware of the risks and how to protect themselves.
Most cybercrime takes place on a large scale – getting high volumes of low-value "wins" (thefts). It is often simpler to steal £10 from 1,000 bank accounts than to get £10,000 from one. What can be taken from surveying SMEs ranges from passwords to email addresses that can then be used for phishing attacks, on the company itself, its customers or people known to them.
The two basics of cyber security are: technical controls, which means having all your software fully patched and up to date, as well as using strong, secure passwords; and individual awareness. Businesses today have to be suspicious of just about any incoming – especially unexpected – email. Ensure staff are aware of emails coming in they are not expecting, even from someone they know – it could be an attacker who has stolen their client's email address in order to send out a phishing email. One of the best ways to pass a company's defences is to send a genuine email, but one that has a link in it that will download malware.
Many SMEs don't consider themselves important enough to be victims of a cyber attack. We often hear the question, "why me?". And when the attack happens, such businesses will probably be unprepared, because they have not invested enough in security in the first place.
In today's globalised, digitised and interconnected world, everyone can be the target of cyber criminals. Surveying SMEs in particular can be part of long, complex supply chains, and targeted as the weakest link. For example, a new trend we've observed is where an attacker will threaten to destroy data backups – anything from confidential client payment information to development blueprints – demanding ever-higher ransoms if they are not paid.
It is imperative that SMEs consider cyber security as part of the overall quality management of the business, not just as some expensive technical task. Ensure you have measures in place for the three phases of a cyber attack: before (preventative), during (reactive) and after (stabilisation).
Furthermore, make sure your client contracts are aligned with your security needs, and that your company is fully GDPR-compliant, with all processes and concepts properly documented. In addition, think about taking out a specific cyber security insurance that fits your individual risk profile and business needs.
We act for a range of clients at different stages of the property cycle – whether an acquisition, a tenancy matter or a development scheme – all of which contain commercially sensitive material. If their data was exposed to the wider world, there would be unforeseen financial consequences for both their business and our own. So our IT systems have to be as secure as possible. We do this while complying with GDPR requirements, and within the confines of any confidentiality clauses we may operate under, so it is critical that no data is leaked or lost.
Since most of us are not IT experts, I would always recommend using an IT provider to help minimise your risk and any disruption that may occur. Our provider, Clever IT, ensures our systems use good anti-virus software to combat malware, with enforced updating, so you can't keep putting off the updates when you get a reminder. It has also installed applications to monitor our IT infrastructure to detect abnormalities.
Given that most cybercrimes happen through employee error, you should ensure your staff are alert to the risks. Consider making cybercrime prevention training part of your induction and review processes for all employees, so they know what to look out for and what to do when they are unsure.
"It is imperative that SMEs consider cyber security as part of the overall quality management of the business, not just as some expensive technical task."
Dr Stefanie Frey
Managing Director, Deutor Cyber Security Solutions, Switzerland
Cyber security can be daunting, but you can boost your resilience by implementing basic security measures. It is not only incredibly important to protect company and client data, it is also the law. GDPR requires personal data to be processed securely, using appropriate technical and organisational measures, and clients will expect you to have minimal, established security measures in place.
Data breaches cost time, money and can damage your business's reputation. The most common cyber threats facing SMEs include viruses, worms, trojans, spyware, ransomware and distributed denial-of-service attacks, most of which are delivered by phishing emails. SMEs can best ensure they are protecting their company and their clients' information by following the steps in our Small Business Guide.
Of course, these steps can't guarantee protection from all types of attack, but they could significantly reduce the chances of your firm becoming a victim. Businesses should prepare for the most common threats by developing plans to handle those incidents most likely to occur.