Celebrating the people behind British small businesses

Defending your SME from a cyber-attack – IT security vs. cyber insurance

By Sarah Adams, cyber security expert at digital professional insurance brokers PolicyBee.

When a cyber-attack hits, it can devastate an SME. No exaggeration. If systems are down, data is lost or your website is hacked, it can literally bring your business to a halt. And a ground-down business isn’t generating revenue.

No use thinking, ‘It won’t happen to me’, either. All the stats point to the fact that the number of cyber-attacks on UK businesses is going in one direction only – up. And that goes for SMEs just as much as the big corporates.

Suffice to say, if the UK government is concerned enough to be driving a ‘Cyber Aware’ campaign via its stand-alone website and has even set up a National Cyber Security Centre, there must be something going on.

The question for SMEs must surely follow: what should we be doing about it and is prevention better than cure?

And the best answer to the second part of that question is, yes…and no.

Safety first

Of course, it makes perfect sense to make sure your IT security is as watertight as it can be. But even that won’t make your systems immune to an eventual breach ­– whether that’s via human error or hackers simply getting cleverer.

And that means it’s vital to think not just about stopping an attack, but what you’ll do afterwards. Once a cyber-attack has done its worst, you need a slick recovery plan for getting your business back on track again, as quickly as possible.

SMEs have limited resources, so they’re unlikely to have a dedicated IT security expert on-site. It doesn’t always make a difference anyway. If giants like Yahoo, Three and Lloyds can be caught out by cyber-attacks, what chance do SMEs have?

It does pay to review your security however, and to buy in external expertise if you need it. At the most basic level you’ll require a good firewall and antivirus software – while it’s imperative to keep all operating systems, programs and apps up-to-date with the latest versions and security patches.

Another must is using strong passwords, as well as keeping the number of people with administrator access to systems to the minimum. Routers and modems should be protected with WPA2-AES encryption at the very least.

People might be accessing your systems remotely, or using their own laptops and mobile devices under a BYOD (Bring Your Own Device) policy. In that case, it’s only logical that those devices should be subject to the same level of security scrutiny as your in-office kit.

Educating staff about security protocols is equally imperative. Human error is responsible for a huge number of cyber-attacks. And if a staff member is sufficiently clued-up to realise they shouldn’t click on a malicious link in an email, thereby avoiding infecting your systems with malware, it can save you thousands of pounds.

Damage limitation

The trouble for SMEs lies not only in trying to prevent an attack in the first place, but in having the resources to react quickly when one occurs and minimising the damage afterwards.

That’s important, because cyber-attacks can wreak havoc, effectively putting SMEs out of business in the short- and even longer-term. Plus, all the evidence points to the fact that an attack is more a case of ‘when’ than ‘if’ – no matter how good your security.

Large companies are more likely to have a department devoted solely to IT. That means a greater chance of them being able to move quickly to contain an attack, find its source, make any necessary repairs and restore lost data from back-up servers.

Bigger companies also tend to have stronger financial muscle. So, they’re in a better position to swallow the considerable costs associated with a cyber-attack, not to mention revenue lost because of business downtime.

But what about SMEs, with their more fragile bottom lines? They usually do without a go-to IT guy in the office and are more likely to rely on external contractors instead. So, if there’s a cyber-attack, it’s a question of seeing if they’re free to help out.

And it’s not just about the technical bits anyway. In fact, they’ll be the least of your problems. What really hurts is: business downtime and lost revenue; the costs of coping with data loss; reputational damage; claims for damages; and the time it takes to get back to normal.

Port in a storm

This is why it can be a sensible move for SMEs to go the cyber insurance route. It takes care of all those things and gives businesses the best chance of weathering the storm.

First, it pays for IT expertise to find the source of the attack, stop it, and clear up the mess. All time-consuming stuff. It also provides for replacement kit so your business can keep running in the meantime.

If you’ve lost customers’ personal information, it pays for advisers to contact them and break the bad news. It also covers informing the Information Commissioner’s Office (a legal obligation), and deals with any resulting investigation.

Once personal data has been lost – things like names, addresses and even bank details – claims for damages are likely to come your way. In that case, cyber insurance buys the legal muscle to represent you in court and also picks up the tab for any compensation.

Crucially, it also compensates businesses for their lost revenue during the period they were unable to operate normally. And it backs that up with PR expertise to help rescue your reputation and your customer/client base in the wake of a cyber-attack.

Prevention versus cure

So…that prevention and cure thing. Which is it?

Both, we reckon. In our cyber-attack infested digital age, it’s essential to follow the best IT security advice to help protect your systems. But it’s equally vital to have a good recovery plan up your sleeve – one that’ll work quickly and effectively to defend your business, should the worst happen.