Cyber security is at the top of every business agenda, but for small businesses in particular, it’s a major challenge.
Many small businesses have long been content with simple security solutions, opting for nothing more than an anti-virus solution and firewall to ‘manage’ security, but as cyber threats become more complex and frequent, small businesses have become prime targets due to their lack of security.
In this blog, we will take a look at the most recent small business cyber security statistics contained in the 2018 Cyber Security Breaches Survey from the Department for Digital, Culture, Media & Sport, to understand just how small businesses are tackling the challenge of cyber security, as well as what they can do to build an effective multi-layered security strategy.
In an age where businesses of every size are routinely targeted by cyber criminals – with almost half (43%) of the businesses reviewed in the survey experiencing a cyber security breach or attack in the last 12 months – an incident management process needs to be formalised and put into place.
The essence of an incident management process is ‘readiness’. Businesses must be both able to identify and ready to respond to an incident. In practice, this means investing in some form of incident management or incident response software that can: record activities, identify anomalies, automatically send out alerts, analyse attacks to identify the root cause, and provide response and remediation tools to contain the problem at all endpoints, as well as having knowledge of cyber threats and a contingency plan in place.
Incident response software is a key part in any multi-layered security strategy and small businesses should endeavour to acquire the right solution.
While the vast majority of survey respondents (57%) were able to identify and report breaches without the use of software, 65% did not know where their most disruptive breaches originally came from.
This particular statistic says that whilst employees are vigilant and able to identify and report on breaches with a good degree of effectiveness, they do not have the means or tools in place to trace breaches back to the source – which is incredibly useful information when it comes to rectifying the problem.
To achieve end-to-end protection, businesses need to be able to identify malicious activities or anomalies in real-time and then to issue alerts when such activity is discovered, all of which can be delivered by an intrusion detection system (IDS). With an IDS, any malicious activity or violation will automatically be reported to the system administrator and an alarm raised. It can also be ‘taught’ using machine learning to help improve threat and anomaly detection in real-time. More sophisticated IDS have the ability to respond to detected intrusions and prevent them entirely.
According to the survey, 75% of respondents indicated that breaches occurred as a result of employees opening and clicking on links in fraudulent emails – more commonly known as phishing emails. It’s hardly surprising then that employees are often a business’ biggest threat.
Businesses must therefore have some form of anti-phishing protection to automatically filter out fraudulent, illegitimate or malicious emails. Most – but not all – email platforms incorporate some form of simple anti-spam and anti-phishing software. The software scans incoming emails to identify phishing content and blocks that content for the user. Of course, some phishing emails can still get through, so businesses should always have an additional layer of protection in the form of dedicated anti-phishing software.
Only a fifth of businesses (20%) have had staff attend any form of cyber security training the last 12 months, with non IT specialists being particularly unlikely to have attended. To effectively combat cyber threats at every level of the business, employees must understand the different types of cyber attack and how cyber criminals carry them out.
If businesses accept that their employees are often their biggest threat, they will also appreciate the value in training them to identify and manage cyber security issues, as well as how to avoid them in the first place. Knowledge of cyber threats and how to combat them needs to be spread across every line of business to achieve enterprise-wide protection. Technology can only do so much and at the end of the day, if employees are unaware of risks, what chance have they got of protecting against them?
Management of cyber security is an ongoing challenge, so some businesses have outsourced the entire process to dedicated security specialists. While practical for larger businesses or those with significantly deeper pockets, start-ups, small and medium-sized businesses might not necessarily be able to afford such a venture.
Of course, cyber security doesn’t have to be expensive. Providing businesses follow the points outlined above, have a comprehensive understanding of cyber security and regularly train employees on its importance, building a multi-layered security strategy is not a pipe dream. It’s entirely possible to build an effective multi-layer and secure security programme without having to ‘break the bank’.
As these small business cyber security statistics show, cyber attacks continue both to increase and evolve in terms of complexity. Small businesses, therefore, need to invest more in cyber security and take a multi-layered approach to their online security. Cyber attacks can come in a variety of different forms and having just an anti-virus solution and firewall is no longer enough to provide enterprise-wide protection.
If you want to find out more about why small businesses need to take cyber security seriously, download our free eBook: Dispelling the cyber security delusion in small businesses.
Privatise’s business VPN solution is the first internet privacy protection tool developed specifically to meet the practical needs of small and medium businesses.