If you are reading this article, you are likely to be the owner of a small business or hold a management position at a growing organisation. Although you have a million actions on your to-do list needing urgent attention, the fact that you have started reading an article on the topic of security suggests that this might be an aspect of your company’s operations you are currently in the dark about.
Think you’re safe – think again
Some small business owners – you might be one of them – will take comfort in the belief their operations are too inconsequential to attract attention from international cybercriminals. However, smaller companies have in fact become a preferred target for cybercrime largely because many lack the time, budget and expertise to put comprehensive security defences in place. They are also seen as much easier targets for cybercriminals than large multinational corporations, in part because many small and medium-sized businesses (SMEs) have only a basic notion of their network security risk.
The Federation of Small Businesses (FSB) recently discovered that cyber crime is costing its 200,000 members alone £800 million annually, with 41% of members becoming victims of cyber attacks last year. And the trend of targeting SMEs is only increasing: the number of daily targeted attacks specifically aimed at SMEs more than doubled in the first six months of 2012.
To put this into perspective, according to the Department for Business Innovation & Skills, SMEs account for 99.2% of all businesses in the UK, making up 59.1% of private sector employment and 48.8% of private sector turnover at the start of 2012. It is therefore not surprising SMEs are increasingly falling victim to cybercriminals. The financial impact of these attacks is enormous for both the individual organisation and the wider economy. With FSB members incurring costs of around £4,000 each due to cybercrime, this means an average total cost of more than £18.8 billion across the whole SME landscape.
Technology the enabler, complexity the enemy
Today, IT networks at organisations of all shapes and sizes are much more complex than they were just five years ago and have grown organically over time. Frequently, they are made up from a combination of on-premise networks, mobile networks and cloud services.
Unfortunately, in many cases, internal security protection has not kept up with these changes. Think about your own situation: is business data moving onto mobile devices? Are employees using their own tablet computers to access internal business websites? Is financial or personal data being moved onto the cloud? If the answer to any of these questions is yes, then your traditional security controls are unlikely to be enough to keep your network and data safe.
Best practice makes perfect
Cybercrime is a real threat that should not be ignored and as such, the below advice will help you get on track to implement an effective security policy suited to the needs of your organisation:
1. Update software
Make sure both software updates and antivirus programs are current. Malware is constantly evolving to take advantage of vulnerabilities in software, and so are patches and fixes that repair these weaknesses. However, these fixes are useless if updates aren’t applied.
2. Educate employees
Educate your staff to never open unknown attachments in emails or click on unknown links. It may sound basic, but web- and email-based threats are growing very quickly. In the first half of 2012, web-based malware infections grew 400% over 2011, and email-based attacks grew 56% from the first to the second quarter of 2012. It is often said that technology is only as good as the people that use it and preventing behaviour that puts your systems at risk is key.
3. Effectively deal with remote workers
Small business owners increasingly depend on remote workers and external contractors to help with the workload, but it is important to securely manage them. Knowing how many people are accessing which corporate information, and from where, is critical to ensure your organisation’s security defence.
4. Be careful of social media
Social media can be important marketing channel, but malicious code is increasingly injected into social networking sites, including harmless-looking links, advertisements and game apps. On Twitter, shortened URLs make it impossible to recognise if links are legitimate and retweeting these helps spread infections.
5. Employ stringent password policies
Workers with access to financial or personal data should have separate accounts for sensitive and more general business content. Ask your staff to change passwords regularly, using a mix of alpha and numeric characters that do not resemble words, so that exposure from password theft is time-limited.
6. Limit access to financial data
Minimise the number of people who have access to sensitive financial or personal content – the fewer people who have log-in credentials to this data, the harder for criminals to compromise the data.
7. Be wary of downloaded apps
Be alert when buying and installing applications from online app stores and make sure they come from a reputable source to avoid malware infections.
8. Develop a layered approach to security
This means the integration of multiple forms of technology for maximum protection, including web-, email-, data- and mobile protection.
9. Speak to an expert you can trust
All-in-one layered security systems are widely available, but if you prefer to deploy separate technology for different areas, consult a security specialist as vulnerabilities can occur if technology is not well integrated. If you don’t feel you have the necessary technical expertise to implement an effective security policy, consider asking a member of staff with an interest in IT to help you with the decision-making process.
According to feedback I’ve had from customers and partners across the UK, small businesses are concerned about the amount of time that administering security will take, and the demands it will place on already stretched IT resources. In addition, they worry about how their security needs might change over time and whether that will result in additional spending.
There is no doubt your security needs will change as you grow, but taking comprehensive steps before your infrastructure becomes too large to be effectively managed will help you in the long-run. Many security solutions available today are highly scalable, and can adapt to the changes that new technology and evolving security risks can force on your business.
A majority of UK businesses are relying on nothing but luck to protect them from cybercrime threats. Put measures in place now, so that your luck doesn’t run out.