Why cyber security matters to small businesses (Guest blog by Henham Strategy)
Small and medium-sized enterprises (SMEs) are the backbone of the UK’s economy. They represent 99% of all businesses in the UK and employ around 16 million people. SMEs turnover £2 trillion every year, which is 45% of the total turnover from UK businesses. They play a key role in adding value to all sectors of the UK economy. They serve both as enablers for the digital transformation and as a core element of our social fabric.
The Covid-19 pandemic forced SMEs to rethink their digital mindset. They had to take business continuity measures such as adapting to cloud services, upgrading their internet services, improving their websites, and enabling staff to work remotely.
In a time of increased remote working and growing cyber threats, SMEs are facing major cyber security challenges. Low-security budget, lack of cyber-skills and an increase in cyber-attacks can seriously impact SME competitiveness and compromise even the value-chain they are connected to. This is why it is fundamental for SMEs to start taking the right steps to secure their business.
How big a problem is cyber security for SMEs?
Last year, the National Cyber Security Centre’s Suspicious Email Reporting Service (SERS) received nearly 6m reports. This led to 53,000 scams and 96,500 URLs being removed.
According to a report by the Department of Digital, Culture, Media and Sport (DCMS), the frequency of cyber-attacks remains high, with 39 per cent of businesses reporting cyber security breaches within the last 12 months. Of these attacks, phishing – where attackers send dodgy links, usually via email – was the most common threat, affecting 83 per cent of those businesses. More sophisticated attacks, like ransomware, affected 21 per cent. DCMS estimate that the average cost of cyber-attacks in the last 12 months is £4,200 for SMEs. This rises to £19,400 for larger businesses. It is likely that both these figures underrepresent the scale of the problem.
What is being done about the problem?
Eight in ten businesses (82%) report that cyber security is a high priority for their senior management. Just over half of businesses (54%) have acted in the past 12 months to identify cyber security risks. That is a start. But more needs to be done. The NCSC works hard to support SMEs. For example, the Active Cyber Defence programme has taken down 2.3 million cyber-enabled commodity campaigns, 442 phishing campaigns using NHS branding, and 80 illegitimate NHS apps hosted and available to download outside of official app stores.
The network of National Cyber Resilience Centres provide a platform for leading the charge to strengthen national cyber resilience, and are specific tasked to work with SMEs and the charity sector. For example, the London Cyber Resilience Centre (LCRC) offers a range of services to London’s small business community to help demystify cyber resilience and provide access to emerging risk information. These centres are free to join, and have some great tools that can and will help your cyber resilience, such as, ‘cyber-essentials’ and ‘exercise in a box’. This latter tool helps organisations test and practise their response to a cyber-attack, and you don’t have to be an expert to use it.
Taking more action to improve cyber security
At Henham Strategy, we find that awareness of such cyber security support is low amongst the SMEs we work with. The National Cyber Resilience Centres have very limited resources. Local councils have minimal, if any cyber-security support for SMEs.
Business itself – Google, Facebook, the banks – needs to increase the tools provided to SMEs. These tools should be cost free. If you open a new business bank account, Facebook business page, or google business profile, you should be able to access free and simple to use cyber security tools. Not just know that your data will be held securely.
Government needs to rapidly expand cyber security outreach, with face to face support provided by experts. The Cyber Advisor scheme is a good start.
Innovate UK has a network of innovation advisers around the country. The Department for International Trade has a network of export advisers across England. There should be a similar cohort of local cyber advisors if we are to reduce economic loss from cyber security. This could be funded in collaboration with big-tech, and big business.
There also remains a role for techUK, the CBI, BCC etc. Business membership organisations must continue to keep cyber-crime high up the policy agenda, and flag the risks to their members. Many businesses take time to select and engage an effective accountant; why not deploy the same care and attention to be cyber secure?
Better SME cyber security awareness must be an engagement priority for DCMS if we are to secure reduced costs to our consumers and our small businesses. It remains to be seen whether these goals will be secured.