How can UK small businesses protect against cyber threats?

Small and medium-sized enterprises (SMEs) form the backbone of the UK’s business population, making up 99.9% of its six million-strong private sector operations and employing 60% of the overall workforce, according to data from the Federation of Small Businesses (FSB).

This backbone, however, has been facing tremendous pressure since the pandemic began, with a rising number of cybercriminals pouncing on their digital vulnerabilities, new research from Software Advice has revealed.

The Surrey-based software solutions provider interviewed 500 owners and managers of UK businesses with at most 250 employees and found that 62% of respondents have seen a spike in cyberattacks in the past two years, with 12% saying the increase was significant.

But what’s even more concerning is what the researchers discovered these companies were doing – or not doing – to mitigate such attacks.

Read more: Aviva research examines British SMEs and their cyber cover – or lack thereof

According to the study, 48% of respondents said their employees had not received any form of cybersecurity training in the last two years, while 32% admitted they did not have a cybersecurity programme within their organisation. Only half of those interviewed said they have a formal cybersecurity incident response plan in place.

Cost was the biggest issue hampering cybersecurity efforts, with 38% of business owners saying they did not have the financial means to address cyber risks. This was followed by a lack of skilled IT personnel, which a third of the respondents cited as a major hurdle.

“As many small businesses don’t have the resources to invest in cybersecurity, they become an easy target for a cyberattack,” Sukanya Awasthi, content analyst at Software Advice, told cyber risk and privacy management solutions provider IT Governance. “Additionally, as technology evolves and hackers develop new ways to infiltrate into company systems, small businesses are the most at threat.”

Read more: Are UK SMEs willing to spend big on cyber security?

She added that while cybercriminals have been willing to invest in new tools, contrastingly, many small businesses have shown reluctance. Awasthi pointed out that cybersecurity measures do not always require huge funds and can be done through proper training and effective management.   

Practical ways small businesses can protect against cyberattacks

To help small businesses address the growing threat of cyberattacks, the National Cyber Security Centre (NCSC) has released a guide outlining ways how they can improve cybersecurity “quickly, easily, and at low cost.”

Here are five simple steps businesses can follow that “can significantly reduce the chances of [their] businesses becoming a victim of cybercrime,” according to the NCSC’s guide.

1. Conduct regular data back-ups

Businesses handle massive amounts of critical data, ranging from customer information and orders to quotes and payment details – and without them, it would be very difficult for companies to operate. For this reason, the NCSC advises enterprises to implement regular data back-ups.

“All businesses, regardless of size, should take regular backups of their important data, and make sure that these back-ups are recent and can be restored,” the agency wrote in its guide. “By doing this, you’re ensuring your business can still function following the impact of flood, fire, physical damage, or theft. Furthermore, if you have back-ups of your data that you can quickly recover, you can’t be blackmailed by ransomware attacks.”

These are some factors businesses need to consider when backing up their data, according to the group:

• Essential data: This is information that the business could not function without. It comprises documents, photos, emails, contacts, and calendars, most of which are kept in just a few common folders on a computer, phone, tablet, or network.
• Back-up storage: Whether it is on a USB stick, or a separate drive or computer, access to data back-ups should be restricted so that they are not accessible by staff and not permanently connected (either physically or over a local network) to the device holding the original copy as malware can often move to attached storage automatically.
• Cloud storage: Using cloud storage means data is physically separate from the business’ location but can still be easily accessible. According to the NCSC, service providers can supply data storage and web services without companies needing to invest in expensive hardware upfront. Most providers also offer a limited amount of storage space for free, and larger storage capacity for minimal costs to small businesses.
• Service provider: By handing over significant parts of IT services to a service provider, businesses can benefit from specialist expertise that smaller organisations would perhaps struggle to justify in terms of cost. Not all service providers are the same, according to the agency, but the market is reasonably mature, and most providers have good security practices built-in.
• Automation: Most network or cloud storage solutions allow businesses to make backups automatically. Using automated backups not only saves time, but also ensures that companies have the latest version of their files.

Read more: How can businesses protect themselves from cyber breaches?

2. Protect the business from malware

A malware infection can be extremely damaging to a business’ operation, but the NCSC says it can easily be prevented. The agency shares these five “easy-to-implement” tips that can help organisations from falling victim to malware:

• Install (and turn on) antivirus software
• Prevent staff from downloading dodgy apps
• Keep all IT equipment up to date (patching)
• Control how USB drives and memory cards can be used
• Always switch on the firewall

3. Keep mobile devices safe

“Mobile technology is now an essential part of modern business, with more of our data being stored on tablets and smartphones,” NCSC wrote. “What’s more, these devices are now as powerful as traditional computers, and because they often leave the safety of the office (and home), they need even more protection than 'desktop' equipment.”

To keep mobile devices safe and the data they contain secure, the agency laid down these five tips for businesses:

• Always switch on password protection. Many devices also have fingerprint recognition, but this feature is not always enabled “out of the box,” so users should also check if it is switched on.
• Make sure lost or stolen devices can be tracked, locked, or wiped. This can be done by using free web-based tools or mobile device management software that can be set up to mobile devices to a standard configuration with a single click.
• Keep mobile devices up to date. Manufacturers release regular updates that contain critical security updates to keep the device protected, so it would help if the devices were set to update automatically. It is also vital for staff to know how important these updates are and how to do it, if necessary.
• Keep apps up to date. Similar to operating systems, applications installed in mobile devices should be updated regularly with patches from the software developers.
• Avoid connecting to unknown Wi-Fi hotspots. Instead, use 3G or 4G mobile network, which has built-in security features.

4. Use passwords to protect data

Laptops, computers, tablets, and smartphones contain a lot of business-critical data, including the personal information of customers and online accounts that the business accesses. Because of this, businesses must protect this data from unauthorised users. According to NCSC, passwords, when implemented correctly, are “a free, easy, and effective way to prevent unauthorised users accessing your devices.”

Here are some password best practices that businesses should follow, according to the agency’s guide:

• Set a screenlock password, PIN, or another authentication method
• Use two-factor authentication for important accounts
• Passwords should be easy to remember, but hard for somebody else to guess
• Help staff cope with “password overload” by providing secure storage where can write down passwords or making sure they can reset their own passwords easily
• Change all default passwords before devices are distributed to staff

Read more: 14% of insurance workers fail global phishing test

5. Avoid phishing attacks

Phishing attacks have become one of the most common cybersecurity challenges businesses face and with cybercriminals becoming more creative with their tactics, these kinds of attacks have become harder to spot.

“Whatever your business, however big or small it is, you will receive phishing attacks at some point,” NCSC warns. Here are some measures the agency says businesses can take to minimise the impact of a phishing scam:

• Configure staff accounts using the principle of “least privilege.” This means giving staff the lowest level of user rights required to perform their jobs, so if they are the victim of a phishing attack, the potential damage is reduced.
• Ensure that employees do not browse the web or check emails from an account with “administrator” privileges.
• Consider ways how cybercriminals might target your organisation and make sure employees
• understand normal ways of working, so that they are better equipped to spot requests that are out of the ordinary.
• Check for the obvious signs of phishing such as country of origin, grammar and spelling errors, and requests to respond urgently. 
• Encourage staff to ask for help if they think that they might have been a victim of phishing.
• Do not punish staff if they get caught out as this discourages people from reporting in future and can make them so fearful that they spend excessive time and energy scrutinising every email they receive.
• Keep abreast of the techniques used by attackers and try to stay one step ahead of them.