UK micro businesses unprepared for data breaches, study shows

A third of micro businesses in the UK would not know what to do if they were to suffer a data breach, a study shows

A third of micro businesses in the UK would not know what to do if they suffered a data breach, a study by security firm Kaspersky Lab has revealed.

The survey of 250 micro firms with up to ten employees also revealed that 40% would struggle to recover all data lost and 25% admitted they would not be able to recover any data.

According to the study, most firms do not believe they will be hit by a cyber attack, despite 68% having internet-connected computers and half allowing mobile and remote working.

An overwhelming 82% believe they are not a target for attack because they are too small or do not have anything worth stealing, even though they use computers to store and process vital business data.

This typically includes confidential customer, supplier, and financial data as well as valuable intellectual property.

“While it is encouraging that micro firms are embracing the new technologies, this must go hand in hand with a strong approach to internet security,” said Kirill Slavin, UK managing director at Kaspersky Lab.

“One in ten of those surveyed admitted that an IT security breach would probably cost them their business. This must be addressed, and quickly,” he said.

But this does not mean that micro firms have to become IT security experts, said Slavin, because most of the time it is the IT equivalent of remembering to lock all the doors and windows when you go out.

Alex Grant, managing director of fraud prevention at Barclays, said cyber fraud affects one in eight small businesses every year with fraud losses estimated at nearly £20bn.

Typical scams include tricking companies into supplying goods they never receive payment for or paying for goods they never receive.

“Fraud can happen to any type of business in many different ways, impacting their revenue, reputation and the long-term health of the business, with no business being too small to be targeted,” said Grant.

“The most important investment a business can make is to take the time to identify where they may be at risk from fraud and reduce those risks where possible to stay in control,” he said.

According to the Federation of Small Business, 41% of small firms were hit by cybercrime in 2013, with one in ten falling victim to online fraud and one in five affected by a computer virus. 

“With 4.7 million micro businesses in the UK, this is an issue that affects the bedrock of the economy,” said Robert Blackburn, director of the small business research centre at Kingston University.

“This is also important because most of these micro firms interact with larger companies and form part of the wider economic ecosystem,” he said.

Five daily checks to improve micro business security

1. Passwords: Check that all internet-enabled devices and computers that carry your business data are protected by strong passwords, regardless of whether the equipment is company or employee-owned.

2. Attachment awareness: Understand the dangers that can lurk in emails, web-links USB sticks and CDs, and consider introducing extra software that will filter out or contain suspicious-looking items.

3. Educate all employees: Make sure everyone knows on how to stay safe online; including how to use strong passwords, spot suspect emails or sites, and protect company information. 

4. Backup: Every day make sure the information you store on computers is backed up and secure.  Imagine how your business would cope if you had to get through the day without it.

5. Security systems: Take full advantage of internet security software that that has been specially created for small firms to secure devices such as smartphones, laptops, tablets, computers, WiFi and networks.  Do not forget about physical security - keep things out of sight and the site locked up.

Cyber criminals are increasingly targeting smaller, poorly protected firms as an easy stepping stone to larger firms in the supply chain, said David Emm, senior security researcher at Kaspersky Lab.

“In the past 18 months, we have seen a marked increase in the number of targeted attacks aimed at smaller businesses,” he said.

This means micro businesses not only have to deal with indiscriminate cyber threats aimed at consumers, but also more targeted attacks associated with large enterprises.

“Small businesses also tend not to realise that attacks that affect big businesses can affect them too,” said Emm.

“They also fail to recognise they have digital assets that could be valuable to attackers,” he said.

According to Emm, small businesses should take stock of their digital assets, think of who would be interested in those assets and how they could access them to help choose the right security defences.

“Micro businesses also tend to be project-based, which often means people are working in groups from different locations,” said Blackburn.

“This means they are more reliant on the internet and cloud computing services, which makes them more vulnerable to attack,” he said.

Although micro businesses are typically immature when it comes to IT security, managed services is tipped to become a rapidly growing market to support this sector of the economy.

“There is massive potential for growth in this industry, but it will need to meet the specific needs of micro business,” said Blackburn.

“Possibly, we will see different offerings emerging for different business sizes and types,” he said.

According to Peter Wenham, director of information assurance consultancy Trusted Management, any company that has no IT security expertise should consider outsourcing IT security management.

Specialist firms in this area are able to ensure client companies have appropriate policies, procedures and operational guidance in place.

Such firms can also offer overall security management of IT environments, including the undertaking of security reviews and audits and security awareness training for company staff.

UK Cyber Streetwise campaign

In January, the UK government launched a campaign urging small and medium-sized enterprises (SMEs) to become "cyber streetwise," to reduce the risk of cyber attack.

The Cyber Streetwise campaign is aimed at changing the way people view online safety by providing the skills and knowledge required to take control of cyber security.

Emm said the initiative was a good start, but he said the government should do more to help small business regarding cyber security.

He said the government should ensure subsequent phases of the Cyber Streetwise campaign get greater media exposure and penetrate beyond the big cities.

Read more on Data breach incident management and recovery