Procurement 4 May 2018

FSB policy director: Micro business owners hold exactly the kind of data cyber criminals want

Martin McTague is policy director at the Federation of Small Businesses

Challenging the perception that cyber criminals are more concerned with large firms than smaller enterprises, Martin McTague, policy director at the Federation of Small Businesses (FSB), offers micro company owners a wake up call with some crucial cyber security action points.

From Talk Talk to Uber, Yahoo! to the adult networking site Ashley Madison, they’ve all been victims of cyber attacks. Big names, with millions of customers, falling prey to hackers is, unsurprisingly, big news when it happens. But the fact that the cyber attacks we hear about are the ones affecting well-known, large corporations helps to fuel the perception gap among small business owners that it’s not a risk that applies to them. The reality is very different, with 45 per cent of micro and smaller businesses experiencing a data breach in 2016-17.

When a cyber attack happens, it costs the business time, money and reputation. It can force the business to suspend operations while the problem is fixed; where customer data has been breached, time will have to be spent dealing with the resulting complaints and resolving disputes; even if you’re insured, you’ll still have to go through the process of assessing the damage and making a claim.

“The reality is, most businesses now hold customers’ names, addresses and contact details”

Government research suggests it takes on average half a day to get back up and running, but with a serious breach it can be significantly longer. The average cost of a cyber security breach for a small or micro business is nearly £1,400. And contrary to common belief, financial losses are not always reimbursed.

And yet highlighted in the recently published “A Call to Action: the Cyber Aware perceptions gap” report, part of the government’s Cyber Aware campaign among millions of SMEs there is the perception  – – that it’s not something that’s likely to affect them or – if it is – there’s not much they can do to guard against it.

Although worrying, it’s understandable. For a self-employed gardener or someone running their own hair salon, they may well think that they operate under the radar of cyber criminals or that they “don’t have data that is worth stealing”.

The reality is, most businesses now hold customers’ names, addresses and contact details – and those are exactly the kind of things hackers want to get their hands on.

Other small firms will be reliant on computer systems to run their businesses; some will sell online; some will have customers’ banking information. Again, big targets for cyber criminals. And cyber crime isn’t necessarily restricted to data theft – many incidents involve extortion (ransomware attacks) or the hijacking of a business’s computer to enable cyber crimes to be committed elsewhere.

CEO fraud


What is CEO fraud and how can I identify it?

Business Advice unpicks one of the growing threats to small companies, asking what is CEO fraud, before consulting two experts on the typical tactics employed by scammers and how owners can protect their firm.


At the Federation of Small Businesses, one of our priorities is to try to improve awareness of the dangers of cyber crime to small firms, and working alongside Cyber Aware is an important part of that.

Last year we got to the point where we were so concerned about the number of our members who didn’t recognise the cyber crime risk that we set up a free helpline and cyber insurance as a standard membership benefit, which meant members had some protection even if they didn’t realise they needed it.

Private and public sector collaboration

There is a wider need for a joint approach to cyber crime across the private and public sectors. There should be an accepted principle that those best-placed to improve cyber security should do the most. Internet service providers, software developers, website designers and search engine platforms are all much better placed than individual SMEs or consumers to strengthen cyber resilience.

A good example of this principle in action is tech firms making products more cyber-secure. By building in resilience at the design and development stages, it will reduce the risk for small firms using those products. At the same time, we all have a role to play.

According to government figures, the average person in the UK is about 11 times more likely to fall victim to computer misuse than they are to a robbery. Just as you probably wouldn’t leave your business unlocked at night, or walk alone with the day’s takings down a dark alley, it’s time to take precautions against cyber crime and wake up to the criminals that lurk beyond the computer screen.

Cyber Aware has developed a set of easily actionable behaviours, which, if adopted and adhered to, will provide the best protection against the majority of cyber criminals. Chief among these is to always install the latest software and app updates, which contain vital security updates that help protect your device from viruses and hackers.

Having strong, separate passwords for your most important accounts – such as your work email – means that if hackers steal your password for one of your less important accounts, they can’t use it to access your most crucial accounts.

Martin McTague is policy director at the FSB

Sign up to our newsletter to get the latest from Business Advice.


From the top