Published 4 August 2015
Head of IT
The Importance of Information Security for Small Business
Information security is a major problem for all businesses. However, unlike larger companies, small businesses often lack the resources (physical, human and financial) to manage the processes of becoming information-secure. Instead, most of small business’s attention is focused only on commercial activities such as winning new customers and growth of sales and which leads to dangerous negligence of ever increasing business risks, one of which is data breach.
Small businesses also get hit hard
Small firms rely heavily on the internet to carry out their operations which leaves them just as open to data breach as their larger counterparts.
Cyber-criminals are prolific. Today, it is increasingly easy to acquire the automated hacking tools required to carry out data breach. This makes every internet-facing business on the planet a potential victim. Whilst data breach can harm a large firm’s image and hurt it financially, it can totally destroy a smaller business with the monetary implications that follow.
Evidence suggests that small businesses are getting hit hard. According to PwC’s 2015 Information Security Breaches Survey (ISBS), 74% of small companies in the UK reported a security breach in 2015, which is an increase from 60% in 2014. With startling statistics like this in mind, it’s easy to see why small businesses need to place more emphasis on information security.
Getting it right
The first step to getting it right is for small businesses to accept that they are on the radar of cyber-criminals as much as large firms. It’s the data that is attractive to cyber criminals, not the size of the business; Especially “tasty” data such as client payment details and login credentials for applications such as online banking or information sharing systems.
The second step is for small businesses to have adequate protection against basic attacks, by way of well configured hardware and software firewalls, and properly updated endpoint protection (anti-virus). Small companies are not expected to have dedicated Information Security consultants in-house, however they should look to I.T services companies to provide consultancy and support to achieve these goals.
Lastly, small businesses should have a regular cyber health check to ensure that the prevention systems mentioned in the step above are configured and working correctly. This should be backed up by a documented strategy that defines how the business intends to respond to an attack and potential data breach in line with business objectives.
Ten steps to cyber security
HM Government has identified ten steps small businesses need to review in order to protect themselves against the majority of cyber threats. These are presented in the infographic below:
The Government also recently unveiled the Cyber Essentials Scheme a guidance framework for implementing security controls as well as a method of demonstrating to key stakeholders and clients that a company is cyber-secure.
According to the scheme, the critical controls and systems small businesses need to implement are:
- Secure configuration – implement security measures when building and installing computers and network devices to reduce unnecessary vulnerabilities.
- Edge firewalls and Internet gateways – provide a basic level of protection where a company connects to the Internet.
- Access control and administrative privilege management – assign special access privileges only to authorised individuals and provide the minimum level of access to applications, computers and networks.
- Patch management – keep the software used on computers and network devices up to date and resisting low-level cyber attacks.
- Malware protection – install and regularly update malware protection software.
If you have found the information in this article helpful and would like to discuss your business information security goals with a member of our team, please get in touch.