Small businesses and cyber security: advice from Matt Roberts
If you run a small business, it’s easy to get caught up in the day to day. You’re busy looking after your customers and keeping one eye on the bottom line, so things like cyber attacks can often feel like less of a priority, especially if you’re a very small or micro-sized business.
However, 43% of cyber attacks target small businesses, an increase from 18% over the last few years alone.
To find out what small businesses need to know about cyber security, AXA spoke to Matt Roberts of cyber security training experts arcX to get some simple tips any business can take to keep themselves and their customers secure from a cyber attack.
Hi Matt. Can you give us a brief introduction to yourself, your experience and your business?
I’m Matt Roberts and I’m a former Royal Marine turned anti-piracy consultant. After leaving the military and being an anti-piracy consultant for a while I decided to go into business and set up a classroom-based training academy, delivering training for veterans. Then with COVID and everything else we decided that we should streamline our operations and make everything available online. So, we came up with the idea of arcX, which is an advanced cyber security training platform, which we’ve been developing for the last year or so.
When it comes to small or micro-sized businesses, what are some of the main cyber security issues they need to look out for?
It really depends on the market they work in. But when I’m talking to small business owners or large corporations the one thing that it always comes down to is data. What data are you holding? What personal identifiable information are you holding as an organisation and what security parameters do you have which sits around that? And if someone else was to get hold of that information and restrict you from having access, can your business continue to function in its current form? It’s all of these different things that you have to consider.
The problem I find with most small businesses, particularly one or two-man bands, is there’s this idea that ‘it won’t happen to me’. But it does, and when it does happen to small businesses it’s much more likely that they won’t have the capabilities or resources to recover from it.
Do different types of businesses need to think about cyber security differently? Are the risks different between a builder and a graphic designer, for example?
The threats facing businesses do differ based on their market sector, but the likelihood of them being attacked also differs based on the types of information and data they hold as well. So if you look at a sole trader builder for example, it may feel like they don’t hold anything of value to a potential hacker. It’s easy to get sucked into this mindset that you’re not a big enough business for this to happen to you. And the reality now is that there’s no bigger threat to a small business than the so-called insider threat. Now this could be malicious, but it could be through an accident or through ignorance as well. For that sole trader builder, it might well be that they click a link in an email that they shouldn’t. And now someone has access to your system and your data and they’re potentially now able to blackmail or extort your business or yourself.
The main difference between large corporations and small businesses, when it comes to cyber security, is that generally larger businesses will have the infrastructure and the remediation processes in place to be able to survive and turn it around in a way that small businesses don’t.
Larger organisations have security policies, data protection policies, user policies that employees have to follow. When you’re a sole trader, it’s very easy to get caught up in various traps. Something really basic like your password. How many people use the same password for more than one account? And if you’re a sole trader and you’re using the same password for your business as you do for your personal accounts, if you’re attacked and your password is compromised, very quickly the distinction between business and personal gets blurred and suddenly everything is compromised.
What are some of the risks that small businesses might be facing if they don’t have the right protections in place?
It could be financial risks, reputational damage, regulations or legislation they might be in breach of. Anything you think could go wrong probably will go wrong as a consequence of a cyber breach.
From a reputational standpoint, for example, I actively avoid using organisations that I know have been a victim of cyber attacks. So if I was to see that a small business suffered a date breach and it was through a blatant disregard of any kind of controls or any kind of security processes at all, then I wouldn’t want to use that business again.
It’s very difficult to come back from the reputational damage associated with being a victim, particularly if you were found to have no controls or even basic steps in place to protect yourself.
Depending on how your customer data or user data is stored, you could also potentially find yourself getting a knock on the door from the Information Commissioner’s Office. Since the introduction of GDPR, you’re hearing about more and more organisations being fined by the ICO and these can be considerable sums of money. Which again can lead to a business closing their doors.
What are some of the immediate steps a small business owner might take to help protect their business?
Very simple day to day things like using a password manager. If you’re not sure what they are, have a quick search online, there a few very reputable ones. Change the settings so that it can produce complex passwords for you and go through your accounts and change the passwords using the password manager. From then on, you’ve only got to remember the access point for that password manager. Set up a recovery email and change absolutely everything else. Straight away you’re increasing the difficulty someone’s going to have in trying to misappropriate information.
The next thing is system updates. I can’t count how many times I’ve seen people open their phones or laptops and it says there’s a system update pending. People put them off because it’s annoying or it takes time, but these updates are not always visual. A lot of them are updating security definitions or updating patches that have been found to be used to breach systems to gain access to your computer systems. So keep all your devices up to date – phones, laptops, tablets, personal and business. Such a simple thing, but it can save you a big headache down the line.
Also, anti-virus software. Get it on your devices. The bare minimum from a business perspective, any device that you use should have anti-virus software. A good paid-for version isn’t that expensive, even for the business license version. And make sure it’s set to automatically update so that it’s continually getting the latest information and ensuring your systems are protected.
Don’t click any links on emails you weren’t expecting to receive, that hasn’t come from someone you know personally. If someone asks you to use a log in portal from an email, always log into that service separately from a different browser. See if you can clarify that information from a different journey.
Most importantly of all, back up all your data. By backing your data up and having it safely stored in another way, you can still access that information if you are the victim of an attack. So you can continue business as normal.
If you do fall victim to a cyber attack, breach or accidental mistake, what should small businesses do?
For me personally, I’d say be honest. Be honest about it and don’t try and hide anything. Straight away you should notify the police. And then you need to notify the ICO that you’ve had a breach of some description, within 72 hours. Let them know of a breach or even a suspected breach. If you take those initial steps everything else will come a little bit easier. You’ve done your legal requirement, so down the line if you have any disgruntled customers you’ve got the law and the ICO on your side saying you did the right thing, to a degree.
What would you say to people who think that cyber security is just something for big business to worry about? Or that they're too small to worry about being hacked?
The statistics speak from themselves. Nobody thinks it’ll impact them until they’re the victim. But 43% of cyber-attacks target small businesses. And the US National Cyber Security Alliance, suggests that of those small businesses that suffer cyber-attacks, 60% go out of business within six months post-attack. I’m sure those people who have become victims and their businesses have had to close down as a consequence of it really wish they had taken a more proactive approach beforehand.
Nothing I’m saying here is going to cost an individual thousands or even hundreds or pounds. These are things you can do straight away to manage your risk.
Most important is that it’s not a case of if, it’s a case of when. And even though you’re a small business, you might not remain a small business forever. So you need to protect your business and your reputation as you grow.
Find out more about Matt Roberts and arcX at https://arcx.io/