Over half of medium-sized firms that do business on the
internet lack even basic online security measures, according to the
Confederation of British Industry.
The shock finding has prompted the CBI to launch Securing Value
in the Online World, a security guide for small and medium-sized
businesses to help enable them to protect their networks from
online attacks.
The CBI said medium-sized firms were not only leaving themselves
vulnerable to online attacks but putting other businesses in the
supply chain at risk.
A recent CBI survey found that 60% of medium-sized firms engaged
with their suppliers, partners or clients online. But over half
(52%) of these firms had no online security planning in place, to
address threats and deal with actual attacks.
The CBI said small firms fared little better, but pointed out
that as medium-sized companies were more likely to integrate their
systems with large firms, as well as trade with smaller ones,
medium-sized firms are a major potential security threat to the
supply chain.
The CBI guide includes advice on how to deal with online
attacks, viruses and cybercrime in the supply chain.
The publication is supported by the DTI and Ernst & Young.
John Cridland, CBI deputy director-general, said, "The internet is
a business opportunity that many firms are seizing with both hands.
So, it is a serious concern that so many medium-sized firms are
leaving themselves and others open to online attack and abuse.”
He said, “These firms account for over half of UK company
turnover and are large enough to win contracts with big business.
But large firms expect to be able to do their online business
securely.”
Cridland said that while medium-sized firms cannot afford
extensive IT systems, there were straightforward measures firms
could take to protect themselves and their customers.
Consisting of easy-to-use modules and toolkits, the guide shows
companies examples of how to address real-life problems.
These include disruption to company systems and networks, theft
of business information, hacking, spam e-mails, phishing attacks
and illicit use of company systems.