Small businesses are taking a big cyber security risk

There’s something very worrying about the way SMEs are approaching their cybersecurity. Whilst recognising that it should be a high priority, they don’t prioritise putting adequate defences in place.

It’s easy to blame other pressures. The economic climate is undoubtedly tough with high energy prices, skills shortages and input costs soaring. And these factors are perhaps easier to address. They don’t require specialist IT knowledge. And unlike the nebulous threat of a potential cyber-attack, results can be quickly realised and easily quantified.

But sometimes SMEs aren’t even aware they’re at risk. They have an IT provider or in-house team and assume that they are being protected. Their lack of knowledge, or lack of engagement with the technical language, or even a surfeit of trust, can leave them exposed. It’s unthinkable that an organisation wouldn’t have an independent audit of its accounts and financial procedures, but few organisations think about scrutinising their IT provision.

We have to ask why because every cybercriminal knows that this is happening. They know which types of organisations are vulnerable and why. Cyber-attacks on big corporations make the big headlines, but being a smaller organisation doesn’t make you safe. Without robust defences, any organisation is an easy target.

The SME deciding to face up to these threats and take steps to defend itself will find plenty of advice online. They will discover warnings about the increased risks due to hybrid working practices. They will find out about the problems arising with the use of multiple devices, apps, smartphones and the like. They will perhaps learn about the risks of plugging a USB storage device into their company laptop. And to mitigate the threat they may implement various policies or have an in-house awareness campaign.

All that’s helpful, but it’s not the answer. You can’t cherry-pick certain risks, tackle them once and assume that going forward they’re dealt with. New threats emerge constantly. What’s more, personnel change. Employees forget they’re logging in from a Wi-Fi hotspot. They don’t spot the hijacked email thread, or they share the odd password so that a colleague can get on with the job. One-off solutions aren’t enough. You need an ongoing cybersecurity strategy that’s continually reviewed, adequately resourced and well-managed.

And yes, that will have a cost. But the cost will be nothing compared to the cost of a ransomware attack or the reputational damage of a serious data breach.

Get the board together. Talk about this issue and do it now.

1. Find out about Cyber Essentials. It’s a great place to start boosting your understanding of cybersecurity and offers a structured way to mitigate risk.
2. Ask your IT provider – or your in-house team – what cybersecurity measures are in place to protect your operation and how they link to international standards. Be prepared for a serious rethink if their answers are vague or evasive.
3. Build a strategy around cyber security and how your business uses and will use technology.

We understand the pressures of running a business – we live it every day, too – but with cyber threats, you can’t afford to take the risk. Learn about the threats. Develop a strategic and ongoing approach to preventing attacks. Doing so will give you much more peace of mind than you’ll ever find by burying your head in the sand.

If you’d to chat about the issues raised or would like our help, just call.