Four cost effective ways small businesses can improve cyber security
A study by the Federation of Small Businesses (FSB) has shown over 500,000 small firms faced a phishing attempts via cyber attacks over the past two years. Others reported malware or fraudulent payment requests, according to the FSB.
Small business owners are under a barrage of cyber threats – around 10,000 a day. The annual cost is estimated to be £4.5bn, with the average cost of an individual attack put at £1,300.
The challenge for small businesses is that they need to be as secure as larger enterprises, but have less resource to do so.
It is also difficult to know where to look for advice. From the NCSC to banks and insurance companies – everyone seem to be offering guidance.
For us, the best advice often comes from reports into past breaches and security failures. When major incidents happen to industries like financial services or to the NHS, detailed reports are published, investigating what happened and why.
A recent report by Imperial College London has investigated the reasons for security failures at the NHS. What can smaller businesses learn from the NHS’ mistakes without breaking the bank?
Give IT a place on your priority list
There has been underinvestment in healthcare IT, especially compared with other sectors.
NHS organisations spend only 1-2% of running costs on IT services compared with 4-10% elsewhere.
If you’re a small business, you need to be careful in how you allocate resources. Investing in IT may not be at the top of the list, particularly if everything is ticking along without too much fuss. But when an incident strikes, your business’ existence hinges on your IT’s resilience.
Study your suppliers
Your business needs confidence in its suppliers. Cyber criminals are becoming more savvy at infiltrating companies via their external providers. Again, the report highlighted these issues for the NHS:
“If nothing is done and adoption of medical devices continues at pace and scale there could be mass introduction of poorly regulated or unsecure medical devices that are hyper-connected and vulnerable to cyber threat. At present, healthcare providers are unable to effectively and consistently risk assess the adoption and integration of emerging technologies and there is a persistent lack of agreed minimum standards for security.
There is a lack of procurement policy to monitor and regulate devices used in care delivery. Additionally, there is little incentive for suppliers of medical devices to provide appropriate levels of cyber security due to the high cost, with a lack of mandate to do so.”
The Internet of Things (IoT) has opened up countless new avenues to exploit. It’s vital to understand your suppliers. Do they have robust cyber principles? Is there a clear governance structure?
Listen to The BCPcast’s episode on supply chain management on how to mitigate these risks.
Set a standard for culture and behaviour
The report goes on to state that employee’s attitudes are key.
“Employee behaviour is a crucial aspect of healthcare cyber security that is frequently overlooked. Easy access to the most personal aspects of a patient’s life means that the potential for malicious activity is ever-present, particularly if data belongs to high-profile patients. There are publicised examples of such behaviours of staff being disciplined and hospitals fined following inappropriately accessing and sometimes leaking the medical records of celebrities.
Currently, it is mandatory for all NHS staff members to complete online training on information governance (including cyber security), though recent evidence suggests that only 12% of trusts reached the NHS Digital target of 95% compliance.”
Your business is built on people. Do you have codified incentives to promote good practice? Are there deterrents to limit malpractice? People have always been a chief cause of data loss. The Data Health Check found 21% of data loss in 2019 was through human error. If people understand where the line is, they will make fewer errors.
Your goal is to foster a spirit of inclusivity. If you can create a companywide sense of purpose, you won’t need to hold your staff accountable; they will hold each other accountable.
There’s an adage in cyber security that you “need to get it right every time, whereas the criminals just have to succeed once”. Everyone in the organisation must be secure.
The cyber skills market is still relatively young. The rate of change in the industry means skilled workers are in demand, pushing up the price of such hires. Hiring trained cyber security staff is difficult for the NHS, as it can’t compete with commercial salaries.
“In December 2018, about 1.5 years after WannaCry, a Redscan freedom of information (FOI) request showed that as much as 25% of NHS trusts had no employees with cyber security qualifications. It also highlighted that among trusts with 3000 to 4000 employees annual cyber security training expenditure may be as little as £500.”
For small businesses, even if you can afford the salaries, it won’t make sense to have a dedicated cyber security professional.
Bolster your security by bringing in third party experts, like cyber security consultants and managed security service providers (MSSPs) for projects, training and ongoing support.