"We're a tiny company, why would anyone want our data? It's not like we're making tens of millions in profit"
"We're too small to matter - cyber security doesn't apply to us"
These are the sorts of things we hear every single day as a cyber security provider. Unfortunately, while these businesses maintain this mindset, they're really just extending their risk exposure.
The longer we pretend the threat doesn't exist, the easier it becomes for cyber criminals to make our businesses targets.
Essentially, it's like heading out to work and leaving your front door wide open all day on purpose.
For the sake of your business, here's the mindset you need to adopt instead.
"My business will be breached"
And yes, you did read that correctly.
The cyber threat is a lot bigger than you think...
With as many as 39% of businesses in the United Kingdom reporting breaches between April 2020 and April 2021, it's not a huge stretch to consider that your business may well become part of a statistic like this.
Think about it for a second.
You use technology every single day, your team uses technology every single day. In fact, you probably rely on it for your business to function.
When you consider the sensitive information and data that you're handling without cyber security measures in place, you can quickly see why this puts your entire business at risk.
Why you make a good target
Cybercriminals are banking on the fact that your small business is sitting there unprotected. They know that you don't have infinite budgets to invest in highly sophisticated cyber security solutions and they're hoping you're not bothered enough to train your staff, write policies and manage your vulnerabilities.
They may just use you as a foothold to gain access not only to your data, but the systems and data of the larger companies you may be a supplier to. Bad actors know if they find a weak link lower down the supply chain, they'll have a much better chance of successfully breaching and then being able to move up it! One of the most high profile supply chain attacks on American store, Target, used this method, with the attack originating from a third-party air conditioning firm, one of Target's suppliers.
And when a breach does hit, it won't just be you that feels the impact.
Of course, I'm talking about your clients.
Your clients have the right to expect their data to be in safe hands. They enter into business with you trusting that you'll treat their sensitive information with the utmost care, so if it's revealed that their data has been the subject of a cyber breach, you can bet you're not going to have happy clients!
Ultimately, the businesses who choose to avoid cyber security will likely lose important business in this way.
You can't afford to ignore cyber security
Even as an SME, your business still needs to utilise cyber security otherwise the consequences can be catastrophic.
Imagine being fined 4% of your turnover because you didn't have any security measures in place after being found to have breached GDPR.
Ask yourself, would your business survive if it lost 4% of its turnover?
For some organisations this will be a nuisance, perhaps cause you to lose a bit financially, but for others, this can be as bad as life or death. In November 2019, a French hospital which experienced a cyber-attack were incredibly delayed in providing crucial, emergency medical care.
If they had the foundations in place and had documented processes and policies for their staff to follow long before they had their attack, they would haven't have had to resort to using a pen and paper to file life-threatening information.
Your business is nothing without its clients.
When you're breached, you have to notify ALL of your clients within 72 hours about the breach.
If your clients then learn that you didn't even have anything in place to protect their data, all that trust you've spent time building will be gone.
They won't want to do business with you, instead, they'll just find a competitor who cares about compliance and cyber security.
In fact, many businesses nowadays will want to see some kind of proof that you're meeting a minimum set of requirements for cyber security.
So you can't ignore cyber security - what do you do?
Contrary to popular belief, you don't need a £100,000 investment or a team of cyber security specialists to take care of your business' cyber security.
So here's are some critical steps you can take, this very moment, to make your business and your clients feel safer.
1) Develop a strong password policy.
Whilst it's important to look into building a detailed information security policy in the future, right now, you could set out a few password rules for your staff which would make your company far less susceptible to being breached.
- Using 12 Characters minimum
- Including numbers, symbols, capital letters, and lower-case letters: Use a mix of different types of characters to make the password harder to crack.
- Staying away from obvious dictionary words and combinations of dictionary words. E.g. (Red House)
- Avoid substitutions, for example, “H0use” isn’t strong just because you’ve replaced an 'o' with a '0'
2) Encrypt your confidential data
People hear the word "encrypt" and run because it's a technical term. In truth, it's quite simple.
Encryption simply means hiding your data and it provides another hurdle for cyber criminals.
Check out this great beginner's guide to encryption if you want to learn more.
3) Be selective with access
It's really important that you carefully assess the permissions of your staff. Does your brand new intern have access to confidential, C-level data?
Once you sort out the permissions, you'll reduce the risk of social engineering. This means if a hacker breaches your brand new intern, they won't be able to access the highly sought after information.
4) Update your software
When you refuse to update your software, you allow the holes in the software to remain on your systems. There are brand new patches, fixing security holes, every single day that are released by the vendor.
Make sure you:
- Turn on Automatic Updates for your operating system. (iOS, Windows, Android etc)
- Use web browsers such as Chrome or Firefox that receive frequent, automatic security updates.
- Update browser plug-ins (Flash, Java, etc.)
- Establish a system for making sure you apply all updates within 14 days of their release, particularly if they're critical vulnerabilities.
Becoming Secure with Cyber Essentials
The UK Government is rooting for small businesses. They realised you haven't got the time, resources or money to be able to put cyber security at the top of your list of priorities.
This is why they created the Cyber Essentials certification for SMEs to protect themselves against 80% of common cyber threats. It's the ideal way to kick start your cyber security efforts, helping you lay secure foundations for your business at an affordable rate.
As a leading Certification Body for the scheme, Cyber Tec Security can guide you through the process so you can get certified with zero hassle.