Small companies are not immune to costly cyber attacks

Managers of small and medium businesses who assume that only the biggest companies are targeted by cyber attacks have already made their first mistake.

A third of small British businesses suffered a cyber breach in the past year, according to a UK government study, while just under half of such companies had any form of cyber insurance cover.

Yet the government study showed 60 per cent of small businesses had cyber incident response plans in place, compared with 52 per cent of all companies.

Dave Palmer, director of technology at cyber security consultancy Darktrace, says many attacks are indiscriminate, so it is essential that executives of companies of all sizes “think about the risks of what would kill the business and stop it operating” if a hack or data theft occurs.

Mark Hawksworth, head of the technology practice at Cunningham Lindsey, a loss adjuster, says hackers are increasingly targeting smaller businesses because larger employers have more resources to protect themselves, making smaller companies more vulnerable.

One form of cyber attack that is becoming more common, and to which smaller companies are particularly exposed, is the use of ransomware. This is where the attacker gains entry to a company’s network, encrypts the data and makes them unusable, then demands a ransom from the company in return for an encryption key.

Insurer Beazley predicts a 400 per cent increase in ransomware breaches globally this year. Businesses cannot be entirely immune from such attacks, security experts say, but there are several simple and practical steps to help reduce the risk.

These include ensuring employee passwords are long and difficult to guess, training staff to recognise unsolicited emails and — most importantly — keeping technology up to date. “There can be a desire to sweat assets, but it is important to keep computers and software updated,” says Mr Palmer.

Another measure cyber security specialists advise smaller companies put in place is software that spots unusual network activity, such as bulk copying to an external hard drive. Mr Palmer says he has seen a spate of incidents recently where the culprits were disgruntled employees stealing data.

Sandra Cole, UK and international breach response manager at Beazley, says regardless whether a company has cyber insurance, it should have an incident response plan in place. This means that in the event of a breach staff are given roles such as contacting clients and authorities, “rather than running around like headless chicken,” Ms Cole says. The plan needs to be tested and updated rather than just drawn up and forgotten about, she adds.

Mr Hawksworth says small businesses often use external IT consultants to keep down costs, but suggests they appoint someone internally to make sure IT policies are adhered to and put them in charge of the response plan in the event of an attack.