Cyber Security: A big challenge for small businesses

Dr Clare Johnson is the Capability Lead at ITSUS Consulting Ltd, Founder of Women in Cyber Wales, and alumnus of the Help to Grow: Management Course.

In this article, Clare writes about the challenges of cyber security for small businesses:

As a small business, you may think you are unlikely to suffer a cyber attack, but you’d be wrong. According to the Department of Science, Innovation and Technology’s Cyber Security Breaches Survey 2023, almost a third of small businesses report having experienced some kind of cyber attack or breach in the last 12 months and the reported figure from the Federation of Small Businesses puts this much higher at a whopping 72%.

Whilst the target may be an individual, these attacks can impact your whole business and even your suppliers and customers.

Cyber security is a challenge for all organisations, but one of the main issues small businesses face is that they often don’t have a dedicated IT person, let alone someone with cyber security expertise. Recruiting someone with the right skills can be difficult, so much so that around 50% of UK businesses reporting a basic cyber security skills gap because of difficulty recruiting IT professionals.

Attacks come in many forms, but by far the most common is phishing, making up around 80% of attacks. It takes very little effort to craft a convincing ‘phish’ and as the National Cyber Security Centre (NCSC) puts it, the most common (and successful) types of cyber attack are the ‘digital equivalent of a thief trying your front door to see if it’s unlocked’.

As with many problems in life, the simplest solutions are often the best. The NCSC has created ‘10 steps to Cyber Security’, which breaks down different areas of security into manageable chunks, providing more granular advice within each step to help support businesses to improve their security. It covers areas such as risk management, identity and access management, engagement, and training.

While you may not have the technical expertise to complete all the steps, the guide serves as an excellent starting point for asking the right questions. The NCSC also offers two certifications. The first is Cyber Essentials. This consists of five technical controls that help to prevent the most common attacks, and it can be carried out as a self-assessment. The second is Cyber Essentials Plus. An external auditor will carry out a hands-on technical verification to confirm you have met the minimum standards in order for you to be certified.

Both Cyber Essentials certifications help you think about your cyber security posture and risk appetite, and demonstrate to your customers your commitment to keeping your company safe. Playbooks and simulations are also excellent ways to test your security measures – practicing your response to an incident just as you would in a fire drill. They highlight where your gaps are and provide feedback on the effectiveness of any measures taken.

You may be under the impression that your people are the weakest link when it comes to cyber security, but they can also be your best defence, and this is where training is invaluable.

Phishing attacks are much more sophisticated than they used to be, especially as attackers may use artificial intelligence to improve their emails, so it’s possible that emails will be addressed to your staff personally, having obtained their names from LinkedIn or other sites.

Educating staff to pause and think before responding to emails, especially if they include a sense of urgency, or an unexpected method of continued communication (e.g. WhatsApp), can make a huge difference to your first line of defence. There is some excellent, very accessible, and free training from the NCSC.

Discussing how other small businesses have approached cyber security basics and sharing experiences is also invaluable, this was useful for my peers and myself during my time on the Help to Grow: Management Course.

If you are unfortunate enough to suffer a cyber attack, seek help as soon as you can. There are approved companies that offer cyber incident response services, and support is available from your local police force, Cyber Resilience Centre, or Action Fraud. All these will be experienced in handling and recovering from such attacks. If you have suffered a data breach, you may receive a ransom notice from the attacker instructing you to pay for its safe return, or you may be notified by suppliers or customers that they are receiving unexpected activity from you. In this instance, you may also need to report the breach to the Information Commissioner’s Office (ICO).

Good cyber security may seem like an unachievable goal to a small business, but the likelihood of a cyber-attack can be drastically reduced by implementing relatively simple measures.

Identifying your key assets and investing a little time and resources into their protection can make all the difference to the outcome if the worst does happen. The best advice is probably the old adage ‘prepare for the worst, and hope for the best’. That way, if the worst does happen, you will be in the best place to recover from it.