deepagopi2011 - Fotolia
Small firms are unfairly carrying the cost of cyber crime in an increasingly vulnerable digital economy, according to a survey of members by the Federation of Small Businesses (FSB).
Smaller firms are collectively attacked seven million times a year, costing the UK economy an estimated £5.26bn, the survey report revealed.
The report claimed, however, that cyber crime costs small businesses disproportionately more than big businesses when adjusted for organisational size.
It also revealed that despite 93% of small firms taking steps to protect their business from digital threats, two-thirds have been a victim of cyber crime in the past two years.
“Over that period, those affected have been victims on four occasions on average, costing each business almost £3,000 in total,” said the report.
The FSB is calling for more government support to be given to those smaller firms least able to bear the burden of the increasing global cyber threat.
Almost all the UK’s 5.4 million small firms rate the internet as being highly important to their business, with two in three offering – or planning to offer – goods and services online.
Without intervention, the FSB believes the growing sophistication of cyber attacks could stifle small business growth and, in the worst cases, close them down.
“The digital economy is vital to small businesses – presenting a huge opportunity to reach new markets and customers – but these benefits are matched by the risk of opportunities for criminals to attack businesses,” said FSB national chairman Mike Cherry.
“Small firms take their cyber security responsibility very seriously, but often they are the least able to bear the cost of doing so,” he added.
“Smaller businesses have limited resources, time and expertise to deal with ever-evolving and increasing digital attacks. We’re calling on government, larger businesses, individuals and providers to take part in a joint effort to tackle cyber crime and improve business resilience.”
The survey showed that types of cyber criminal activity most commonly affecting small businesses includes phishing emails (49%), spear phishing emails (37%), and malware attacks (29%).
Small firms are also concerned about hacking and fraud when the card is not present, with the average information breach setting them back 2.2 days.
To counteract this, 80% use computer securing software, and 53% perform regular updates of their IT systems.
The FSB report also revealed room for small firms to improve security. Currently, only a quarter of smaller businesses have a strict password policy, just 4% have a written plan of what to do if attacked online, and only 2% have a recognised security standard such as ISO27001 or the government’s Cyber Essentials Scheme.
“The vulnerabilities of the digital world affect everyone, and the responsibility for improving resilience should not be left to the group with least resource to do something about it,” said Cherry.
“Security is important, but given that an element of risk will always be present when operating online, resilience must also be championed. Without a concerted effort to reduce cyber crime and improve resilience, small businesses could be at real risk.”
According to the FSB, there needs to be significant simplification and consolidation of cyber security information provided by government. The FSB believes the National Cyber Security Centre should become the hub for this, providing a one-stop-shop for advice and guidance for all small businesses alongside a determined marketing effort to ensure businesses are aware of it.
The FSB is also calling for better incentives for small businesses to encourage them to invest in cyber resilience measures and adopt best practice when it comes to increasing their cyber resilience.
The law enforcement response to cyber crime must be improved at the local, regional, national and international levels, warned the FSB.
There must be more investment by the government in law enforcement resources to effectively tackle cyber crime, the organisation said, and businesses should be encouraged to report every crime and reassured it will be taken seriously.
At Infosecurity Europe 2016 in London, a panel urged businesses to engage as early as possible with law enforcement on cyber crime.
Garry Lilburn, detective inspector at the Metropolitan Police's cyber crime unit, said that although current reporting mechanisms are “clunky” and there plans to replace them, businesses can instead make direct contact with the cyber divisions of the National Crime Agency (0370 496 7622) UK-wide, or the Met Police for cyber crime in London (0207 230 8129).
The panel also highlighted that fact that while there is a fair amount of support for big business and consumers, there is relatively little support for small businesses in terms of identifying and mitigating cyber threats.
Rik Ferguson, advisor to Europol and vice-president of security research at Trend Micro, said smaller businesses typically do not have the same level of security awareness or resources as bigger firms.
“While large organisations have the resources to understand and respond to threat intelligence gathered through industry forums, the government-sponsored cyber security information sharing partnership (Cisp) and the national computer emergency response team (Cert-UK), smaller businesses do not,” he said
Ferguson added that it was important this gap be addressed to raise awareness among smaller companies about how to engage with law enforcement, how to collect evidence, and how to mitigate attacks so they don’t become a security risk for their business partners.