No, not the lottery I’m afraid. The recent data breach at the NCT goes to highlight once again that SMEs should take Cyber Security seriously.

It is easy to think that only banks or organisations with ‘valuable’ data are at risk. But as the NCT breach demonstrates, the organisation itself isn’t always the main target. The prize could be access to other services where your customers have reused the same login credentials or potentially a more convincing phishing attack on your customers, based on the data that has been stolen.

Increasingly, an SME with poor security and a list of customer email addresses and other details, is a much more attractive Cyber Crime opportunity than a well defended larger organisation.

So SMEs need to take Cyber Security seriously, but this is not a council of despair. Start by getting some basics right.

  • Install software updates promptly
  • Install Anti Virus on company machines and keep it updated
  • Use strong passwords 8 or more characters and including capitals, numbers and symbols
  • Delete suspicious looking emails
  • Train staff and raise awareness e.g. highlighting what phishing emails look like
  • Issue an internet use policy to staff, making it clear what types of sites can and can’t be visited from work devices, what files and software can be downloaded
  • Put in place a backup process to protect your assets should disaster strike

That’s not a long list to get the basics right, and they are pretty simple things to do even for an SME with a tight budget.

The next step is to take a simple and structured risk management approach to understanding risks to your business and how to manage them effectively.

  1. What assets do you have that could be at risk?
  2. What is the threat and what form could it take? E.g. theft or damage; from criminals or accidental/deliberate action by employees.
  3. What would the impact be and what is the likelihood?
    • You can consider this qualitatively with a scoring system – high, medium, low.
    • Or try and quantify the asset value (AV), the exposure factor (EF) – e.g damage would cost 50% of the asset value, and the annual rate of occurrence (ARO) – the likelihood of this happening in a given year, to get an annual loss expectancy (e.g. £100,000 AV x 50% loss EF x 10% ARO likelihood per year = £5,000)
  4. Rank risks to create an ordered list for actions to improve the protection of certain assets.
    • In the example above the calculation suggests it is worth spending up to £5,000 to protect that asset and no more. 

It seems that Cyber Security scares have a tendency to make SME’s stick their heads further into the sand. Following some of these simple steps can significantly reduce the risk to your business, your customers and your reputation.