If you’re a small business owner with a finger in every proverbial pie, facing the anxiety-inducing effects of a cyber attack is one stress too many. The anxiety is even worse for SME owners who don’t operate in the tech or I.T industries, where many don’t have the industry knowledge to tell them where to start if their systems have been breached.
With companies worldwide going almost completely digital, office computers and related systems have become the most prized possessions of businesses – and is where their most useful data and confidential information is stored. However, this also means that it’s become a treasure-trove for cybercriminals too.
How big is the threat?
The impact of cybercrime on UK SMEs is serious and is evidenced in research produced by insurance firm Hiscox last year.
Their research claims that over half of our small businesses have no cybersecurity strategy in place. This lack of security planning has resulted in as many as 65,000 attempted hacks every day, says the firm.
They’re costing SMEs dearly
Cyber attacks aren’t merely a frequent occurrence for small businesses, they’re costly too.
Last year the average financial impact of cyber attacks was £25,700.
But not only do businesses have to ‘pay out’ due to cyber-attacks via the costs of ransoms and replacing expensive hardware, but they can also suffer reputational damage that simply can’t be quantified.
We all know that implementing new strategies within businesses doesn’t happen overnight. So with that in mind, let’s turn to what SME businesses with limited cybersecurity knowledge can do in the immediate aftermath of a cyberattack. After which, they’ll hopefully implement longer-term preventative strategies to stop this from happening in the future.
Ben Rose, chief underwriting officer, Digital Risks
SMEs have to have an effective response plan in place to control the situation as quickly as possible with minimum impact to them and their customers.
This means avoiding going into ‘panic and pay’ mode. A threat may emerge, and it may feel like it’s crucial to act instantly and cave into hackers’ demands. However, providing they have undertaken the correct risk assessment, and have a comprehensive cybersecurity insurance policy in place, SMEs can put a stop-gap in the middle.
For example, through an effective cyber policy – they can gain access to outside support such as legal advice, cyber forensics teams, access to experts in negotiating the rescue of data or files, as well as crisis PR teams that can help to manage any potential customer issues.
Oz Alashe, CEO and founder, CybSafe
Following the discovery of a breach, SMEs should act immediately to prevent further damage and to determine what’s been compromised. While leaked data involving names and addresses can cause harm, breaches involving data such as passwords and credit card information present a much greater risk. What constitutes a suitable reaction will, in part, depend on what has been stolen and how much damage this could cause.
After identifying all compromised information, they should notify customers and partners as soon as possible. Delays in getting this information out exposes those affected to greater harm. Sensitive personal information can be uploaded to the dark web within hours, so time really is of the essence.
Be transparent with customers…
When informing customers and business partners, organisations should be open about how and why a data breach was able to take place, and who have been affected. Those impacted in the breach won’t appreciate a lack of transparency, and they’ll expect clear and concise advice on what, if anything, they need to do in response. If passwords have been compromised, they should be provided with guidance on how to change these and what other steps they might need to take.
In some circumstances, businesses may be obliged to report breaches to the Information Commissioner’s Office (ICO) within 72 hours of discovery. If it’s likely that sensitive data has been exposed without consent, then reporting the breach to the ICO is advised. If organisations fail to report a breach then they must be prepared to justify that decision. More information on the appropriate circumstances for reporting can be found on the ICO’s website.