Cyber-attacks are no longer out of the ordinary for businesses – we’ve seen various high profile data breaches and hacks hit well-known brands, from TalkTalk back in 2015, to Wonga more recently. While it’s the household names that typically grab the media headlines, it’s important to remember that no business is immune to cyber threat, whether it has five employees or a workforce of 5000. In fact, 90 per cent of our cyber claims by volume in 2016 came from businesses with less than £50m in revenue.
With this in mind, from our recent research, we found that cybercrime is the second biggest concern for SMEs, topped only by Brexit. However, despite this, we also found that over a quarter of small to medium sized businesses (27 per cent) still don’t educate and train their staff on cyber threats.
The world of crime is changing as organisational value shifts away from physical property towards intangible assets, such as company data and sensitive information. That fact that criminals know that these assets are far more valuable, and far easier to access and exploit, is reflected in the findings from the National Crime Agency which last year revealed cybercrime had overtaken traditional crime rates in the UK.
Years ago, employers would educate staff on the importance of locking the files cupboard, or office doors before leaving. Now, as crime has changed, education and training needs to also, and surprisingly, much of it is incredibly simple with only a small shift in company culture and mindfulness required.
Avoiding the avoidable
Whilst it’s true that many hacking techniques are evolving to keep pace with better cyber security defences everywhere, a lot of cyber incidents occur as the result of fairly unsophisticated methods. Take phishing, for example. These scams involve tricking people into trusting malicious websites, directing them to malicious links, or unknowingly downloading an infected file.
This tactic accounted for 38 per cent of our claims in 2016, which means over a third of claims could potentially have been avoided if simple education and training measures had been put in place to help staff detect these threats. Many phishing scams have signature marks that can be easily spotted if employees know what to watch out for, which makes it one of many good places to start when it comes to educating staff.
Steps to education
There’s a massive human element to cyber risk and having staff understand that this human link even exists is a good start in trying to get everyone within an organisation on board with making their work environment more secure. Staff awareness of the potential threats – and of what they can do to help mitigate them – is a huge stride forward in adopting a best practice approach to cyber security.
Currently, over a quarter of SMEs (26 per cent) say that they do not train and educate their staff on the threat of cyber because they are “not sure where to start”. This may well be a result of not understanding their cyber risk profile – 20 per cent say they never assess their business exposure to this risk. This needn’t be a time-consuming weekly or even monthly task, but it should certainly be on the agenda for the beginning of each year.
By understanding their exposure to cyber risk, business owners can more accurately assess where vulnerabilities lie. Once these have been addressed, business owners would be wise to recognise the role that their employees play as a first line of defence. Although this is not a silver bullet when it comes to protecting an organisation from cyber threat, it is a fundamental component.
In practical terms, this could include teaching staff how to detect a potential phishing email and implementing a reporting procedure to ensure that it is dealt with quickly. Or, for example, it could mean having a process in place whereby staff follow up requests for wire transfers with a phone call before following through. In addition to this, business owners should be encouraging staff to be vigilant with company devices - losing one could easily lead to a privacy breach if sensitive information is accessible. A lot of problems start when employees use company computers for personal use, so having rules in place to limit that trend may also be helpful.
Implementing an incident response plan
Should the worst happen, and a business does fall victim to a cyber-attack, it is important that there is an incident response plan in place to mitigate its impact. This should outline the roles and responsibilities in the event of a breach so that the incident can be handled quickly and effectively. Worryingly, over half of SMEs (56 per cent) report that they do not currently have such a plan in place.
With limited resources, it’s by no means the expectation that SMEs should have the cyber and IT experts in-house to handle the aftermath of an attack. This is where a cyber insurance policy can play an important role. Cyber insurance exists not only to cover the financial losses associated with a hack, but a good policy will also provide access to IT specialists, forensic investigators, specialist PR firms, legal experts and more. This enables victims to quickly manage cyber incidents, minimising their impact.
Good cyber security is a solid foundation for a defence strategy, but failing to educate and train staff on today’s threats leaves SMEs vulnerable to sometimes avoidable attacks. Cyber threat is one of the most high-profile risks that businesses of all sizes are facing at the moment, yet SMEs are not equipping their staff effectively enough to deal with the less sophisticated attacks. If they are to implement a 360 cyber defence strategy, education and training must be addressed.
Graeme Newman, Chief Innovation Officer, CFC
Image Credit: Pavel Ignatov / Shutterstock