If you run or work in a busy small and mid-sized business (SMB) in London the last thing on your mind is probably how to protect your business from cyberattacks.
But whether you’re based in London or not, according to PriceWaterhouseCoopers (PWC), since 2014 cyberattacks have been the world’s fastest growing economic crime and the numbers continue to rise.
The Internet has been a revelation and a revolution. It’s changed our personal and business lives beyond recognition. But, as soon as your enterprise launches a website or signs up for an e-mail service (both pre-requisites for successful commerce today) you’re at risk of – and must want to know how to protect your company from – cyberattacks.
So, in this blog post we crunch the numbers about the cybersecurity threat, see how well prepared SMBs are and highlight what you can do to protect yourself. Here’s where you’ll find out more about:
- How prepared is the SMB community?
- The impact of a lack of resources
- So, what’s the typical cost of a cyberattack for SMBs?
- Prevention is always better than cure
- Web-based attacks
- Distributed Denial of Service (DDoS) attacks
- Phishing and social engineering attacks
- The threat from within
- Out of sight must not mean out of mind
- There’s no such thing as business as usual after a cyberattack
Table of Contents
How prepared is the SMB community when it comes to cyberattacks?
The research suggests the majority of SMBs are unprepared when it comes to asking the question ‘How can companies protect against hackers,’ as these figures show:
- The proportion of SMBs reporting at least one or more cyber incident has increased from 33% to 47%
- For medium-sized businesses, the increase is even greater, moving from 36 percent in 2018 to 63 percent in 2019.
- According to Verizon’s 2019 Data Breach Investigations Report, 43% of all breach victims were small businesses.
The impact of a lack of resources
Whether it’s not having expert IT staff, the free floorspace to host a secure equipment room or the budget to afford leading edge defensive technology, SMBs typically have fewer resources for cyber-security protection.
For example, an SMB IT Security Report by Untangle discovered how 48% of organisations say limited budgets are just one of the barriers they face when it comes to how to protect businesses from cyberattacks. Other research makes for sobering reading:
- According to Cisco an SMB can face up to 5,000 security alerts per day on average, yet only a little over a half investigate the alerts
- The Keeper Security-Ponemon Institute report, suggests that six out of 10 SMBs report attacks against them being more targeted, sophisticated and damaging
- The same report stated that 47% of businesses having suffered one, had no idea how to protect their company from cyberattacks
- 52% of SMBs claim they don’t employ an in-house IT professional, according to an SMB IT Security Report by Untangle.
So what’s the typical cost of a cyberattack for SMBs?
Overall, organisations with staff numbers of between 500 and 1,000 people shelled out an average of almost £2 million in total costs for each data breach.
The average cost of a cyber attack per person on organisations with more than 25,000 employees was £154, whereas organisations with between 500 and 1,000 employees had an average cost of £2,656 per employee.
Prevention is always better than cure
Here’s our rundown of the top cybersecurity threats the typical small & medium sized business in London faces and our suggestions to combat them. Don’t worry, we’ve borne in mind any budgetary, space and staff restraints you may trade under.
Malware’s difficult to detect and costly to remediate and mitigate with criminals being motivated by financial gain from extortion, coercion, fraud or stealing sensitive and classified information that can be sold to the highest bidder.
Recommendations: First and foremost, back-up. Plan it, make it part of your everyday processes and test it frequently. Use what’s known as the ‘3-2-1 Rule.’ That means having three copies of your data (on a workstation, in the cloud and on an external drive array, for example) and on two different forms of media (hard drive and the cloud, for example) with one complete copy held offsite.
Then ask a managed IT services provider in London about a budget-friendly endpoint protection solution. This can block sophisticated cyberattacks and help to defend your network in lieu of highly-trained IT staff.
By using an Internet browser and your own website as a launch pad, criminals can access and steal confidential client information or compromise your site to make it infect visitors.
Recommendations: The majority of web-based attacks use your website’s functionality weaknesses via code they input to your site’s entry fields. Therefore, you need to control the types of user input your website accepts.
Again talk to a managed services provider in London – especially their security experts – to audit your site for potential weaknesses and correct them. Also, ensure that any app developers or coders working for you are programmed with security uppermost in their minds.
Distributed Denial of Service (DDoS) attacks
DDoS attacks often result in extended downtime for your website, costing you valuable opportunity, customers, productivity and, of course, profitability.
Recommendations: A good quality and well-configured content delivery network (CDN) can help prevent DDoS attacks and provide infrastructure DDoS protection. Talk to your managed IT service provider about the Arbor DDoS solution, for example. But plan ahead anyway and establish processes to help your business deal with one, such as ways to communicate with your customers, suppliers and partners should your website go down.
Phishing and social engineering attacks
A frightening 85% of businesses experience this kind of attack and they’re especially worrying now that they are more sophisticated, polished and can carry other sorts of risk (like ransomware) right into the heart of your enterprise.
Recommendations: Staff training has to be your first line of defence. Help your people to help your business by empowering them to identify and deal with anything suspicious such as phishing emails or links to dodgy websites. Create a culture of cybersecurity awareness amongst your team and make the training of effective digital and data security practices a top priority.
The threat from within
Unhappy and malicious current and former staff will sometimes be a threat to your data security but not always in a way you imagine. Most often, it’s people who are simply negligent, inattentive, careless or abuse their privileges that become an accidental insider and trigger a data breach.
Recommendations: Include the threat of insider breaches to your data security in your staff training. It reduces the likelihood of a future problem through accidents and carelessness, although not necessarily deliberate or malicious acts.
In addition, you can also restrict what devices, programs, files and records your people have access to; check the credentials of everyone who has access to your systems (to ensure their identity, expertise and experience are as claimed) and control and prevent the running of any unauthorised code that’s been delivered to one of your devices, however it’s been delivered. Remember to include your in-house people, remote workers and temporary or contract staff in all of the above checks and balances.
Out of sight must not mean out of mind
Recent research by Trend Micro reported that device loss accounts for 41% of all data breaches, compared with 25% derived from hacking and malware.
Truth is, a member of your team can be using a mobile device to remotely and perfectly legitimately access, view, edit, share and download to their device all sorts of confidential documents. But if
that mobile device gets lost or stolen and they haven’t protected it with a suitable passcode, your IT infrastructure, data, intellectual property, customer information and reputation are all under threat.
Another danger for remote workers is their repeated connections to unsecured public Wi-Fi networks around London and beyond, which can easily be hacked.
Recommendations: Education and good governance are vital. On top of this, talk to your team and your managed service provider about the following additional safeguards:
- Implement a ‘Role-based Access Control’ (RBAC) model which restricts an individual’s network access based upon their job
- Make good password and passcode management the heart of your data security regime
- Use password managers with two-factor authentication (2FA) and Single Sign-On (SSO) solutions
- Install remote wiping technology on all your devices
- Insist on Bring Your Own Device (BYOD) best practice in case members of your team want to use their own kit.
There’s no such thing as business as usual after a cyberattack
Leading insurer, Hiscox, claims that UK businesses are nine times more likely to be a victim of cyber crime than a burglary. What’s more, a cybersecurity or data breach isn’t just inconvenient and tiresome.
A Trend Micro survey found that although two thirds of UK companies ended up paying the ransomware demand and received a key or password, only 45% of those got their data back.
Losing valuable intellectual property and compromising your confidential data can do more than simply cause operational and reputational damage. The financial costs can also be devastating. For example, noncompliance with the EU’s GDPR laws could cost your business as much as €20 million or 4% of your annual turnover, whichever is greater.
SMBs have to take the cybersecurity threat seriously to protect your company from cyberattacks.
Start by having a confidential, no obligation chat to the highly expert and experienced managed IT service provider team here at Totality. We’ve earned a Feefo Gold Trusted Service Award, have Five Star ratings from both Trustpilot and Google and deliver unrivaled IT support for London.