Small businesses across the UK are subjected to nearly 10,000 cyber attacks each day, according to new research from the Federation of Small Businesses (FSB).
The research published by FSB, which includes Scottish businesses, found that one-in-five (20%) of small firms had been subject to a cyber-attack over the past two-and-a-half years.
In the two years to January 2019, research also shows that more than seven million individual attacks were reported, equating to 9,741 incidents each day. The cost of growing cyber threats to the small business community is now estimated at £4.5 billion annually, with the average cost of an attack standing at around £1,300.
Martin McTague, FSB policy & advocacy chairman, said that, although small businesses are “waking up” to the threat of cybercrime, many still lack the resources and financial muscle to contend with rapidly evolving threats.
- New Edinburgh Consultancy Looks to Shake-Up AI Ethics
- DIGIT Movers and Shakers: July 2019
- 5G Trials in Orkney Could Happen Sooner than Thought
“These findings demonstrate the sheer scale of the dangers faced by small firms every day in the digital arena,” he says. “More small firms are waking up to the threat of cybercrime. It’s a threat that’s evolving rapidly, but too many small businesses still lack access to the resources and budgets needed to contain it.”
Attack methods regularly employed by cybercriminals include phishing, with 530,000 small firms suffering from this type of attack over the past two years, the research showed.
More than 370,000 businesses also reported incidences of malware attacks, as well as fraudulent payment requests (301,000). More than a quarter of a million businesses (260,000) also encountered ransomware attacks over the same period.
Firms based in the North West, South East and West Midlands were most likely to fall victim to cyber-attacks, with 25%, 23% and 21% of small businesses in these areas reporting cyber incidence respectively, FSB says.
FSB’s research found that one-in-three small firms (35%) have not installed security software over the past two years. Meanwhile, nearly half (40%) fail to regularly update software and a similar proportion do not back-up data and IT systems.
Such lackadaisical cybersecurity practices leave businesses and consumers at risk and, in a post-GDPR world, businesses big or small simply cannot take risks with consumer data. Implementing basic cyber hygiene practices, as well as developing a cyber-aware culture can go a long way to ensuring safety and security, says Gerry Grant, CSO at Converged Communication Solutions.
“They can do some really simple things like making sure all their devices and software are updated,” he explains. “They can make sure they are backing up their data on a regular basis and ensuring that they know how to restore that data.
“They can also make sure that they are doing at least some training and awareness about phishing scams and cybersecurity with their staff.”
Schemes such as Cyber Essentials or Cyber Essentials Plus can also help set businesses “on the right pathway” to becoming a far more cyber secure organisation, Grant notes.
Cyber hygiene starts at a grassroots level, so to speak, and having a workforce which is cyber-aware and capable of picking up on suspicious activity could help avoid disaster. Without adequate training, Grant insists, businesses are leaving themselves wide open to attack.
“You can put as many technical controls in place as you like, but if you have an employee that is using a weak password or is clicking on emails and downloading attachments then that’s how you’re going to be caught out,” he says.
“This is when training and awareness become key, because how can we chastise a person if we’ve never shown them what we expect them to do and what to look out for?” Grant adds. “We spend a lot of time and effort on health and safety training for our staff, teaching them and showing them how to lift a box properly, but how often do we do training on phishing emails or how to create a good strong password?”
Grant concedes that staff training and awareness is often only half the battle. In his experience, small businesses often ignore the risks posed by cybercriminals due to their size. After all, with news stories regularly focusing on large-scale data breaches and cyber attacks, the real danger appears to be for larger organisations?
This simply isn’t true. In fact, smaller businesses are far more appealing targets compared to say, major banks or multi-national corporations, as they are easier to crack open. Emphasising to small businesses that they are prime targets is key to ensuring they take adequate steps.
“It’s about getting small businesses to understand that they are actually at risk” he says. “We constantly hear in the press about the big companies, such as Capital One last week, losing information. But very rarely do we hear about the small business that gets his by ransomware or suffers a data loss of some description.
“The perception, in my opinion, is that the criminals are after the big names – when in reality, everybody is at risk, Why would I spend six months trying to break into a bank that spends millions on security when, during that same period, I can steal data or ransomware dozens of small businesses for much less effort?”