Still not taking cyber security seriously? If you’re running a small and medium-sized enterprise, it might be tempting to think that attackers have bigger fish to fry – but you fall into this trap at your peril.
Research published today by the British Chambers of Commerce makes that point articulately – one in five businesses in the UK has been the victim of a cyber attack over the past 12 months. The BCC does say that large businesses are more likely to have come under attack than their smaller counterparts, but 18 per cent of companies with fewer than 100 employees say they have been targeted.
This is hardly the first warning entrepreneurs have had about cyber attack. But all the evidence suggests only small numbers are taking steps to protect themselves. Overall, just 24 per cent of businesses have sufficiently robust cyber security protections in place to qualify for some form of accreditation, the BCC says. Amongst the smallest firms, the figure falls to just 15 per cent.
Nor do businesses have contingency plans for taking action when an attack does occur. Almost two-thirds say they would look to their IT provider to resolve issues following a breach.
“Cyber attacks risk companies’ finances, confidence and reputation, with victims reporting not only monetary losses but costs from disruption to their business and productivity,” warns Adam Marshall, the director-general of the British Chambers of Commerce.
“Firms need to be proactive about protecting themselves from cyber-attacks. Accreditations can help businesses assess their own IT infrastructure, defend against cyber-security breaches and mitigate the damage caused by an attack. It can also increase confidence among the businesses and clients who they engage with online.”
The BCC also pointed to the General Data Protection Regulation, new European Union rules on data security that come into force during 2018 and will affect all organisations. The regulation, which gives watchdogs the right to fine companies up to 3 per cent of their annual turnover for a failure, offers another imperative for businesses to take action, Marshall points out. The GDPR applies to all organisations, whatever their size.
The BCC’s warning, though aimed at companies of all sizes, follows mounting frustration about the difficulty of persuading SMEs to confront the challenges of cyber security.
While the UK government has launched a range of initiatives aimed at helping SMEs to improve their cyber-security capabilities, with one recent scheme offering up to £5,000 to spend on cyber training and advice, take-up so far has been limited. Research published by Juniper last year found that 27 per cent of smaller businesses did not believe they were big enough to be of interest to cyber attackers, despite a series of reports revealing that even the very smallest companies have already been targeted online.