
How big is the threat?

They’re costing SMEs dearly
Cyber attacks aren’t merely a frequent occurrence for small businesses, they’re costly too. Last year the average financial impact of cyber attacks was ?25,700. But not only do businesses have to ‘pay out’ due to cyber-attacks via the costs of ransoms and replacing expensive hardware, but they can also suffer reputational damage that simply can’t be quantified. We all know that implementing new strategies within businesses doesn’t happen overnight. So with that in mind, let’s turn to what SME businesses with limited cybersecurity knowledge can do in the immediate aftermath of a cyberattack. After which, they’ll hopefully implement longer-term preventative strategies to stop this from happening in the future.Ben Rose, chief underwriting officer, Digital Risks
SMEs have to have an effective response plan in place to control the situation as quickly as possible with minimum impact to them and their customers.Oz Alashe, CEO and founder, CybSafe?
Following the discovery of a breach, SMEs should act immediately to prevent further damage and to determine what’s been compromised. While leaked data involving names and addresses can cause harm, breaches involving data such as passwords and credit card information present a much greater risk. What constitutes a suitable reaction will, in part, depend on what has been stolen and how much damage this could cause. After identifying all compromised information, they should notify customers and partners as soon as possible. Delays in getting this information out exposes those affected to greater harm. Sensitive personal information can be uploaded to the dark web within hours, so time really is of the essence.Be transparent with customers…
When informing customers and business partners, organisations should be open about how and why a data breach was able to take place, and who have been affected. Those impacted in the breach won?t appreciate a lack of transparency, and they?ll expect clear and concise advice on what, if anything, they need to do in response. If passwords have been compromised, they should be provided with guidance on how to change these and what other steps they might need to take. In some circumstances, businesses may be obliged to report breaches to the Information Commissioner?s Office (ICO) within 72 hours of discovery. If it?s likely that sensitive data has been exposed without consent, then reporting the breach to the ICO is advised. If organisations fail to report a breach then they must be prepared to justify that decision. More information on the appropriate circumstances for reporting can be found on the ICO?s website.Sign up to our newsletter to get the latest from Business Advice.