Procurement 3 October 2018

Why aren’t micro businesses protecting themselves against cyber threats?

Not taking cybersecurity seriously could lead to the loss of assets, reputation, sales and customers

Writing for Business Advice, Simon Yeoman, general manager at Fasthosts, reflects on misconceptions around cyber threats and explains how micro companies can protect themselves.

In a recent YouGov/Fasthosts survey it was revealed that 79% of decision-makers in micro businesses do not consider cyber security to be a high priority. In fact, it came fourth out of a list of priorities, behind “improving working efficiency” (37%), “expanding into new markets” (28%), and “creating new products and services” (28%).

But why are micro businesses taking their own cyber security so lightly?

The research further revealed that 84% stated they already had cyber security in place. Casting aside for a moment the worrying 13% of businesses that have no cyber security measures in place at all, the 84% who say they do are worth examining more closely.

When questioned further it transpired that the type of security seemed to be limited to “security software” (off the shelf antivirus package) (73%), having a firewall (63%), while only 53% regularly update their software.

These security measures are not nearly sophisticated enough for a business, no matter how small. And the root of this attitude seems to be that micro businesses do not think they are big enough to be targeted by cybercriminals. This is a dangerous line of thinking.

Small businesses are a huge part of the British economy. In 2017 micro businesses made up 96% of the SMEs in the UK. These smaller businesses account for 33% of employment and 22% of turnover nationwide.

Not taking cybersecurity seriously could lead to the loss of assets, reputation, sales and customers – any, or all, of which could push a company over the brink into bankruptcy.

Protect yourself

In the survey mentioned above, only 11% said that they had been affected by cyber-attacks, despite a study last year (2017) from the Federation of Small Businesses (FSB) showing that two-thirds of its members claimed they had been victims of cyber-attacks between 2014-2016.

This means that it is likely that many of the businesses that don’t believe they have been compromised are simply not aware of any breaches. If only 14% of those businesses actually have the means to detect if they’ve been compromised – you heard that right, the survey revealed only 14% do – then most micro businesses just don’t realise that they’ve been hacked until it’s too late.

As mentioned above 84% of micro businesses do have some form of cyber security protection in place, but it appears to be rudimentary, limited to readily available security software and firewalls. But what about program updates?

Update alerts for operating systems and software always seem to pop up at the most inconvenient times, right when you’re in the middle of something and up against a deadline or when you’re just about to shut down for the night, so that’s maybe why only 53% update their programs and systems regularly as part of their security strategy.

However, this opens up your business to a huge security risk, as older software will continue to have the same bugs and exploitable holes long after they have been discovered and, worse still, all of these exploitable entry points have most likely been made public after the release of updates.

A cloud on the horizon

Reflecting the lack of concern for security in general only 15% of micro businesses are worried about where and how their data is stored. This is worrying as we live in an age where data is rapidly becoming the prime target for cyber criminals, giving them high profits on the black market and worse, leverage over the companies whose security they breach. Given the amount of publicity surrounding the GDPR, it is a surprise to see such low levels of concern with where data is stored.

When it comes to data storage, cloud services have become an easy way to protect yourself, as it is encrypted in transit and in storage. But despite the prevalence of the cloud, only 44% of micro businesses say they store at least some of their data there. This means that 56% still haven’t adopted cloud storage in any form (or more possibly, they are storing data in the cloud but don’t realise it).

A big challenge for small businesses is the IT industry’s very broad use of the term “cloud”. The term encompasses such a wide range of different services that it is hard to choose one from the other, but the difference in security and features is vast. A sole trader or start-up with relatively simple requirements might store its data on one of the more well-known, vanilla services such as Dropbox or Google Drive for example.

These services are fine for storing data, but their functionality and security features are somewhat basic. As a business grows and its IT requirements become more complex (e.g. it deploys an ecommerce website or starts to build its own applications), it needs to graduate beyond these services. It is at this point that a business will look to the more dedicated cloud hosting services which offer the enterprise-level security features they need such as private networks, firewalls and VPNs to protect their data, applications, and website infrastructure. It is here that the term “cloud” begins to indicate a much higher level of security than was previously the case.

No business, however small, is immune from ransomware, phishing, hacking and basic human error, and yet it is difficult for small businesses to develop a cyber security strategy when they are not familiar with the ins and outs of the cyber security market. It is a common misconception that smaller businesses are not worth attacking, but that can lead to complacency and a lax attitude towards security, which can backfire in the event of a breach.

Micro businesses must make a concerted effort to educate themselves on cyber security and implement a consistent strategy that ensures they are protected and ensure they aren’t the easy target they may seem to cybercriminals.

Sign up to our newsletter to get the latest from Business Advice.