This article is part of a series of articles called “The Small Business Owner’s Introduction to Cyber Risk”. Each article is dedicated to an important topic that the owners of small businesses should understand as they get started on their journey towards peace of mind from cyber risk.
You may be the owner of a small business, struggling to make sense of this complex environment and concerned that you may not be doing enough to prepare your business and your people for a cyber incident.
You may be confused by cyber risk right now, and if you are, you’re not alone. Most people who own or manage small businesses are concerned about the cyber exposures of their businesses. A lot of people are confused by the complexity of the topic and the large number of solutions promoted by the cybersecurity industry.
Lack of time, money and expertise are real problems for small businesses, but these should not prevent small business leaders from taking reasonable steps to improve business resilience. In these short articles, I hope to show you how.
As the owner of a small business, I understand the small company perspective. Here are a few frequently asked questions about cyber risk that I often get from the small businesses that engage with me:
WHAT IS CYBERSECURITY?
Cybersecurity has been defined as a collection of technologies, practices and processes that protect networked computer systems from harm or use by an unauthorised person. Its purpose is to protect businesses from cyber-attacks, threats and risks.
WHAT IS A CYBER-ATTACK?
A cyber-attack is an offensive action by a malicious actor that is intended to undermine the functions of networked computers and their related resources, including unauthorised access, unapproved changes and malicious destruction.
WHY DO WE NEED CYBERSECURITY?
Digital transformation has changed the world of small businesses, in many ways for the better. However, increased dependency on digital technology has exposed small businesses to increased cyber risk.
Small businesses need cybersecurity to try to reduce the number of cyber incidents they suffer and the severe impact these incidents can have. Because small businesses have limited resources to respond and recover, a cyber incident can easily lead to financial collapse.
WHAT EFFECT CAN A CYBER INCIDENT HAVE?
There are many possible effects of a cyber incident including:
1. Websites and systems can be offline for a prolonged period
2. Negative public relations can result for the business
3. Ransom demands may be made by the attackers
4. Fraudulent payments may be requested and made
5. The cost of fixing system damage and restoring data will be unavoidable
6. The liability to third parties arising from the incident could be severe, e.g. a data breach.
IS CYBER RISK ONLY IMPORTANT FOR BIG COMPANIES?
The sad reality is that 60% of small companies go out of business following a cyber hack and 71% of all cyber assaults occur at businesses with under 100 workers. Small businesses are big business for cybercriminals. Small business leaders should be concerned if they have not yet prepared their business and their people for an inevitable cyber incident.
ARE THERE ANY RECENT REPORTS ON CYBERCRIME IN THE UK?
Yes, the Cyber Security Breaches Survey 2022 from the UK Government indicated that:
- 39% of businesses of all sizes identified a cyber incident in the last 12 months.
- The most common threat vector was phishing attempts (83%).
- Organisations cited ransomware as a major threat with 56% having a policy not to pay ramsoms.
- Of the businesses that identified attacks, 31% estimate they were attacked at least once a week.
- 82% of boards or senior management rate cyber security as a “very high” or “fairly high” priority.
- 54% have acted in the last year to identify cyber security risks. However, limited board understanding meant the risk was often passed to outsourced service providers, insurance companies or an internal cyber colleague.
- Between 55% and 60% of small, medium and large businesses outsource their IT and cyber security. Only 13% assessed the risk posed by their immediate suppliers saying that cyber security was not an important factor in the procurement process.
- Only 19% of businesses have a formal incident response plan.
- 43% of businesses have an insurance policy that covers cyber risks.
- Only 6% of businesses have Cyber Essentials Certification and only 1% have Cyber Essentials Plus Certification.
ARE THERE ANY RECENT REPORTS ON CYBERCRIME IN IRELAND?
Yes, the Grant Thornton Ireland “Economic Cost of Cybercrime” report indicated that:
· The total economic cost of cybercrime in Ireland was €9.6 billion in 2020.
· Online fraud had increased by 55%
· There had been a 45% increase in the number of Phishing complaints
· 36 billion records were compromised in 2020
· There had been a 334% increase in the volume of records compromised from 2019 to 2020.
DO SMALL BUSINESSES HAVE A GOOD UNDERSTANDING OF THEIR CYBER RISK?
There is a growing understanding amongst the owners and managers of small businesses of the reality of cyber risk and the need to take action. However, more education is needed to help small business leaders distinguish the truth from the myths:
I hope that this simple FAQ has been useful in introducing you to the topic of cyber risk for small businesses.
Don’t forget to have a look at the series videos on the on the Surviving Cyber YouTube Channel and download the eBook that accompanies the video series at: https://pages.survivingcyber.com/ebook
In the next article in this short series, I consider whether cyber risk is just an IT issue or a business-critical risk that encompasses much more than IT risk.