Steve Scott, Director of Broker Markets, NIG, believes that as well as getting a suitable cyber insurance policy, SMEs need to think about extending their current risk management controls to include cyber risks

steve scott

Aviva, TalkTalk, Sony Pictures, LinkedIn. The vulnerability of large companies and platforms to cyber crime has hit the headlines regularly over the last few years.

What’s more troubling, however, is that according to Government figures, a third of small and medium businesses suffered a cyber attack from someone outside their business last year.

The fall-out of an attack

To me, these are pretty shocking statistics. But perhaps even more shocking is the financial impact.

The average cost of a major security breach is between £65,000 and £115,000, and can result in putting a business out of action for up to 10 days. The impact of which, in some cases, can prove terminal.

So what can SMEs do to limit the impact of cyber crime, cyber liability, data breach, and data corruption – and its potential material and reputational damage?

With fewer resources or expertise than larger companies, how can an SME manage and protect itself from a range of virtual threats in a way that’s practical and cost-effective?

Currently, businesses are likely to have a risk management policy for things like fire, break-ins or working in hazardous environments. But many of them underestimate the impact of cyber risks, so don’t give them the same consideration or attention as they would physical risks.

Of course, it’s impossible to eliminate every risk, but having a strong security policy – that incorporates a ‘layered defence’ will help to protect physical equipment and company data.

Access and an axe to grind

Protecting the business from outside attack is one thing, but one of the most common threats to any size business is from disgruntled current or former employees.

With access to company networks and proprietary information they can leave your business exposed and under threat, perhaps through spreading malware, or through careful targeting by criminal gangs who force them to sabotage your system or steal data, money or goods.

And it’s not just your employees, if you’re allowing third party suppliers access to your network and systems you’re exposed to the same risks.

To mitigate internal and external threats, doing the basics is essential.

That means installing anti-virus software, downloading updates as soon as they’re available, keeping web browsers and hardware and software up to date, along with patches (pieces of software designed to update or improve a computer program). And setting up a firewall will help prevent unwanted connections getting in or out.

It could also mean installing an email security solution, such as anti-spam and email scanning that quarantines any embedded files or attachments, restricting access to inappropriate websites, and keeping an inventory of all IT equipment and software.

You should also review hardware and software regularly, and store or dispose of it securely if it’s not being used. In this regard, physical security is as important as virtual security. 

Managing user access is key

For SMEs, where IT budgets are rarely large enough for the kind of solutions deployed by corporates, strong user access controls can prevent access to folders or servers. This ensures office, mobile or remote workers conform to the principle of least privilege.

In other words, they get what they need and nothing more. This is especially important if a company is subject to legislation for things like data protection.

Other ways to strengthen your cyber security include identifying a standard configuration for hardware, and ensuring any new equipment is built and tested to this standard, before it’s deployed.

And for an extra level of reassurance, hardware and network monitoring can log and identify user (authorised and unauthorised) or malicious activity.

A simple but effective way to beef up security is to use strong passwords (with at least 8 characters, upper and lower case letters, numbers and special characters), encrypt sensitive data and make sure employees understand and implement any cyber security policy. 

Bringing in an expert

With so much to think about, some companies prefer to involve an accredited security consultant to develop and implement a cyber risk management policy.

Some even have a ‘penetration test’, where an ‘ethical hacker’ tries to break in and sniff around to see what they can find and steal.

They then provide the SME with a full report including any weaknesses and recommendations.

A company can also look at how it would deal with a cyber-related incident and its potential impact on business continuity.

This could include how to manage any negative publicity if it makes it into local or mainstream media and a review process to understand any security weaknesses.

With the types of threats constantly evolving, SMEs need to review their cyber security and risk management policy regularly to ensure that it’s up to date.

And with nearly 1 million new malware threats released into the internet every day, it pays to stay alert.