SMEs and cybersecurity – hello, is anybody out there listening?

With working from home or hybrid working becoming the new norm as a result of the pandemic, the risks to security have never been greater, says Victor Timon from Lewis Silkin.

Last year we had the massive ransomware attack on the HSE, which is still costing millions to repair. We have seen the Data Protection Commission become much more active in handing out fines (for example the €17 million fine on Meta, the parent of Facebook, last month for data breaches) and around the time of the invasion of Ukraine, the papers were telling us that Russian cyber-attacks were imminent!

With working from home or hybrid working becoming the new norm as a result of the pandemic, the risks to security have never been greater, with many workers using their own devices and unprotected networks to connect to their office.

“Companies who have suffered a data breach could also face lawsuits from individuals affected by the breach, and class actions in such cases may well be a thing of the future”

So if ever there was a time to make sure that your systems are robust and that you’ve installed the latest version of your security software, surely this is it. Yet Irish SMEs, as shown by a couple of recent surveys, appear to continue taking a casual approach to data security.

The 2022 .IE Tipping Point Report provides concerning reading – and a complete mismatch in concern between the general public in Ireland and Irish businesses in terms of how seriously they take the security of data. For example, 75% of consumers said they were ‘very’ or ‘somewhat concerned’ about the security of their personal information when shopping online. However, contrast that with the response from SMEs engaged in online sales. The majority (62%), either take no special steps to secure personal data or don’t know how to. Just 15% confirmed the use of basic but effective measures such as a firewall or antivirus, and only 11% the use of two-factor authentication. Only 4% have trained staff in cybersecurity best practice.

And the issue is not just confined to online sales. A recent report by Magnet +, the Irish connectivity company, produced some staggering statistics. It revealed that one in five Irish SMEs (that’s 50,000 companies!), do not have a cyber security policy. One third of Irish SMEs spend less than 10% of their IT budget on security and 13% of the companies surveyed said they either didn’t know who was responsible in their organisation for cyber security, or no one was.

So why does all this matter? What are the risks that so many Irish SMEs are opening themselves up to?

Firstly, there are the legal/regulatory obligations and sanctions. Under the Data Protection Act 2018 for example (which implemented the GDPR in Ireland), controllers of personal data are obliged to take “appropriate measures” to prevent the unauthorised access to or disclosure of personal data. A failure to do so could result in a number of sanctions, including ultimately a fine up to the higher of €10 million or 2% of turnover. Having robust security systems and procedures may well mitigate against a heavy fine. A failure to have those in place, may well have the opposite effect.

Companies who have suffered a data breach could also face lawsuits from individuals affected by the breach, and class actions in such cases may well be a thing of the future. There are also corporate governance issues to consider. A company director may well fall foul of their director’s duties under the Companies Act 2014, for failure to have sight of cyber security issues and for not having the correct policies in place.

It would be wrong though to focus purely on personal data. There are other types of data that may be much more valuable to hackers or others engaged in espionage. These include customer or supplier lists, pricing details and of course intellectual property. What price to a business if they fall into the hands of a competitor? Also, a company may have to face the wrath of suppliers whose confidential information may have been compromised in a cyber-attack.

Apart from losing very valuable data the cost of recovering from a cyber breach could be enormous and has put companies out of business in the past. A report for the Made in Britain organisation in the UK stated that 60% of small companies go out of business within six months of a cyber-attack. For the survivors the event is likely to set them back an average of £65,000. The costs involved in dealing with a cyber-attack  include business downtime; employee time spent dealing with the incident; engaging third party IT forensic teams to find the problem and plug the hole; engaging lawyers to deal with GDPR issues and perhaps even a PR team to try and limit the public damage.

So what should Irish SMEs be doing?

The 12 Steps to Cyber Security published by the Irish Government in 2018, though a little dated, is a good place for SME businesses to start. Additionally, the business representative body ISME has some excellent information and advice on its website, and runs regular cyber security events. A proactive approach to implementation and improvement of cyber security measures is crucial for SMEs, and engaging with practical guidelines and initiatives like these should not be put on the long finger. 

There are immediate things a company can do in the short term that won’t cost anything – like introducing and enforcing password rules, educating staff about opening suspicious emails, and installing the latest updates from its software suppliers. Businesses may need professional help from outside resources to put in place “best practice” security systems and policies after that.

While you cannot guarantee 100% protection, having good systems, procedures and policies in place, may well be a valuable defence for SMEs in claims by individuals or companies whose data has been compromised in a cyber-attack.

Victor Timon
Victor Timon is a partner in the Dublin and London offices of the international law firm Lewis Silkin and specialises in technology and data privacy.