The 3 big cybersecurity mistakes SMEs make

John Byrne from Surviving Cyber, a provider of online education about cyber risk to the owners and managers of small businesses, picks apart the 3 biggest mistakes that SMEs make.

You may have heard that cybercrime is growing rapidly today. In fact, worldwide cybercrime is expected to reach $6trn in 2021 with a cyberattack taking place every 39 seconds.

This is important to small businesses because they are under attack from cybercriminals.

“Small businesses are under attack from cybercriminals. The consequences of a cyber incident are potentially catastrophic for a small business”

Small businesses are the “low hanging fruit” because of a lack of understanding of this complex subject and a lack of resources. Tragically, most small businesses only survive for about six months after a cyber incident, so this is potentially a catastrophic event. However, this does not need to be the fate of small businesses.

Did you know that there are three big mistakes that most small businesses make with cyber risk? The good news is that making these mistakes is not inevitable and avoiding these mistakes will materially improve the cyber posture of your small business.

In this short article I will explain the three mistakes, and how you can avoid them in your small business.

Mistake #1: The Wrong Mindset

Most small businesses have a scarcity mindset when it comes to cyber risk. They see cyber as a complicated problem that’s beyond their control and not as a business risk that needs to be managed, like any other. They feel overwhelmed by the complexity of the challenge and as a result may end up failing to engage with it until it is too late. While this is an understandable reaction, it leaves the business critically exposed to cybercriminals.

What these small business owners and managers fail to realise is that the business environment has fundamentally changed in recent years. The digital transformation of businesses has happened quickly and is seen in the dramatic growth in use of mobile technology, greatly increased online trading, use of social media by businesses, and the move from “on-premises” systems to cloud-based systems and software, to mention just a few recent trends.

The legal and regulatory environment has also changed dramatically with the introduction of the GDPR in 2018. Concerns around data privacy and data security are real issues for every business, regardless of size, as the expectations of all stakeholders have risen. Big companies are increasingly requiring their small company suppliers to meet minimum cybersecurity standards if they wish to remain in the big company supply chain.

A growth Mindset recognises that every business is now a digital business and cyber risk is just one side of the coin, with digital opportunity being the other side. Cyber risk is everyone’s reality. This was true before Covid struck in 2020 but now, hybrid working and doing business online is the everyday reality for all businesses. Inevitably, cyber incidents against small companies have become far more frequent and severe. Ransomware, which the FBI estimates tripled in 2020, has been used by cybercriminals to target small businesses.  

A growth mindset recognises that there are big advantages available for businesses that “up their cyber game”. Becoming a cyber resilient business helps build trust with all your stakeholders including customers, suppliers, employees, and shareholders. Being able to show progress towards cyber resilience has become important for all small businesses and will increasingly be seen as a competitive strength as minimum standards in this area increase.

So, adopting the right mindset, a growth mindset, is the answer to Mistake #1 of small businesses.

Mistake #2: No Strategy for Cyber Risk

Most small businesses have no strategy to manage cyber risk. In effect, this means that all actions are ad-hoc and there is no “joined-up” plan. It also means that surviving a cyber incident is less likely for these businesses. Often, lack of a strategy means that cybersecurity is seen as the responsibility of the “IT guy” rather than a critical risk and Board room issue.

A cyber risk strategy should be simple to understand and straight forward to implement. If the plan is not understood by the people who need to implement it, failure is almost guaranteed. There are a number of national and international cybersecurity frameworks to choose from, with varying levels of complexity, including the Cybersecurity Framework of the National Institute of Standards and Technology (NIST) in the USA.

My “5 Steps to Cyber Resilience” is a simple strategy for cyber risk management at small companies. I believe that it is suitable for small businesses that are new to cyber risk and want to make a start on their journey to cyber resilience. The 5 Steps of the framework are Assess, Reduce, Transfer, Respond and Report. I will explain each Step briefly.

  • Step 1 – Assess: We begin by identifying the key information assets of the business and assessing the risk to which these key assets are exposed.
  • Step 2 – Reduce: Next, we reduce our risk by implementing controls, where possible.
  • Step 3 – Transfer: We then decide to either retain the risk that remains or transfer this risk to an insurance company through cyber insurance.
  • Step 4: Respond: We establish our response plan and response capability for a cyber incident
  • Step 5: Report: We set up reporting for our Board or management team on cyber risk.

This 5-Step framework is an easy strategy to understand and straight forward to implement. Adopting this strategy is an answer to Mistake #2 of small businesses.

Mistake #3: No Tactical Plan to implement

Most small businesses don’t have a tactical plan to implement for cyber risk. They use ad-hoc responses to events as they happen. They are reactive, not proactive with cyber risk. Examples could include a decision to implement Two Factor Authentication following a phishing attempt or to update the anti-malware defences after contracting a virus through the company email system.

Where small businesses are taking ad-hoc action, the tactics used will not be coordinated and may not always be focused on the essential things – those that are within their ability to control.

The ad-hoc tactics are also likely to focus heavily on Technology risk, to the exclusion of the other two pillars of cyber risk: People risk and Governance risk.

Experts estimate that approximately 90% of cyber breaches involve human behaviour so failing to provide a staff training and awareness programme leaves your small business exposed to people risk.

Similarly, if you have weak governance over cyber risk, from the Board of Directors down through the organisation, this leaves your small business exposed to risk. Examples could include having no cyber risk strategy, no policies and procedures, no board reporting on cyber risk, and no incident response plan.

Implementing a strategy such as the “5 Steps to Cyber Resilience” leads naturally to a tactical plan to implement in a small business and addresses Mistake #3 of small businesses.

Do not be a victim

Small businesses are under attack from cybercriminals. The consequences of a cyber incident are potentially catastrophic for a small business.

There are three big cyber mistakes that most small businesses make but this does not have to be the case. These mistakes are easily avoided.  

Having the right mindset, a simple strategy and a clear tactical plan, focused on the things that are controllable in your small business, is the way forward.

I hope this article has been helpful and would be delighted to hear from you by email about your number one challenge with cyber risk.

Through Surviving Cyber, I offer education courses for owners and managers of small businesses on how to improve the cyber resilience of their business. Details are available here.

John Byrne
John Byrne is an entrepreneur, insurance professional of over 30 years experience, Chartered Certified Accountant, educator and a digital enthusiast. He was the co-founder of an insurance business at Lloyd’s of London, which he exited in 2015. He is currently the Founder of Surviving Cyber, an online education and coaching course offering for small business owners and co-founder of Cyber Plus Solutions, a cyber risk management InsurTech start-up.