Cyber attacks are increasingly in the headlines of mainstream media, yet research reveals that a third of UK micro businesses would not know what to do if their IT was breached.
Four in 10 micro businesses would struggle to recover if all data were lost and one in four would not be able to recover any data, the study by Kaspersky Lab revealed. Why are they so unprepared?
This is a significant problem in light of the fact that there are 4.7 million micro businesses in the UK - defined as companies employing 10 or less people - which are the bedrock of the UK economy.
It is also worrying because most of these companies are suppliers to bigger companies and therefore more likely to be targeted by cyber attackers as a stepping stone to bigger targets. Kaspersky reports an increase in this type of two-step attack in the past 18 months.
This means micro businesses not only have to deal with indiscriminate cyber threats aimed at consumers, but also more targeted attacks associated with large enterprises.
But why are micro businesses so unprepared for cyber attack?
The most obvious reason is that in many micro businesses, the owner is also the manager and is responsible for dealing with suppliers and customers.
“Many manage their business by the seat of their pants; they are focused on the business, and cyber security is secondary,” according to Robert Blackburn, director of the small business research centre at Kingston University.
“Delivery of service to customers is their first priority and this, together with dealing with customers and suppliers, takes up just about all of their time,” he told a roundtable discussion on the Kaspersky research findings in London.
But, when these operations are breached, the business is often left in “free fall” he said.
Read more on cyber security for SMEs
Although Barclays offers an online guarantee for businesses affected by online fraud, many struggle in the immediate aftermath to pay employees and suppliers, said Alex Grant, managing director of fraud prevention at Barclays.
“Most are in shock when they are hit by cyber fraud because it is not something they have thought about before. Their focus is on customers and bringing in the money,” he said.
According to Barclays, cyber fraud affects one in eight small businesses every year with fraud losses estimated at nearly £20bn.
“With all that small business owner/managers have to take care of on a daily basis, it is easy to understand how technology and security can be overlooked,” said Mark Chaudhuri, director of March Solicitors.
Even small legal firms, he said, typically lack a focus on information security despite the confidentiality of the information they deal with because they are focused on their case work.
“We try to take tech seriously and have lots of security because of the confidentiality of our client data,” said Chaudhuri. This is the main reason he has avoided cloud-based services.
But he admits that the monthly review of IT systems at his legal firm was introduced only after a cyber theft a year ago.
“Our financial loss showed that even with the best will in the world, you can be hit by cyber theft and that cyber criminals will take money wherever they can from any size of business,” said Chaudhuri.
Never happens to us
The second factor contributing to a lack of cyber attack preparedness is that most micro business think it will never happen to them.
The study found that 82% of those polled believe they are not a target for attack because they are too small or do not have anything worth stealing, even though they use computers to store and process vital business data.
This data typically includes confidential customer, supplier, and financial data as well as valuable intellectual property.
Free download: Information security for SMEs
In this report, from Royal Holloway university, experts propose a simplified implementation approach for an information security management system for SMEs.
- Information security management system
- High-level risk assessment
- Risk profiles for SMEs
“Fraud can happen to any type of business in many different ways, impacting their revenue, reputation and the long-term health of the business, with no business being too small to be targeted,” said Barclays' Grant.
“The most important investment a business can make is to take the time to identify where they may be at risk from fraud and reduce those risks and where possible to stay in control,” he said.
The same applies to all kinds of cyber attack affecting all kinds of data that can be turned into revenue by cyber criminals, said David Emm, senior security researcher at Kaspersky Lab.
“Small businesses should take stock of their digital assets, think of who would be interested in those assets and how they could access them to help choose the right security defences,” he said.
The third factor contributing to a lack of cyber attack preparedness is a lack of awareness around the types of attacks and how these can be avoided.
“From the cyber fraud cases we see, people are still clicking on malicious links in emails or responding to phishing emails,” said Grant.
One of the biggest threats Barclays is working on are the increasingly sophisticated banking Trojans being used by cyber criminals to siphon funds out of bank accounts.
Many of these Trojan infections are the result of people unwittingly clicking on malicious links in emails that appear to be legitimate.
“For this reason, Barclays is focusing heavily on customer education, and according to our metrics, this approach is having a positive effect in reducing cyber fraud,” he said.
Part of that education process is helping small businesses to understand that they need to think like big business when it comes to information security.
From the cyber fraud cases we see, people are still clicking on malicious links in emails or responding to phishing emails
Alex Grant, managing director of fraud prevention, Barclays
Chaudhuri considers his legal firm more secure than most other businesses of the same size, but he admits that it takes time and effort.
“You need to do the research, find suppliers or consultants you can trust, and then make tough decisions,” he said.
Education and awareness on cyber security issues is clearly important, and here the government plans to play an increasing role as part of the national cyber security strategy.
In January, the UK government launched a campaign urging small and medium-sized enterprises (SMEs) to become "cyber streetwise," to reduce the risk of cyber attack.
The Cyber Streetwise campaign is aimed at changing the way people view online safety by providing the skills and knowledge required to take control of cyber security.
Emm said the initiative was a good start, but the government should do more to help small business regarding cyber security.
He said the government should ensure subsequent phases of the Cyber Streetwise campaign get greater media exposure and are seen beyond the big cities.
In June, the government launched the Cyber Essentials Scheme, a guidance and certification scheme to help UK businesses get the basics of cyber security right.
Government hopes that the scheme, which is intended to show what good security looks like, will prove to be a cost-effective way for all UK businesses to get the basics right.