The growing problem of cyber security is becoming a big headache for small businesses.
Figures from Sophos suggest about 30,000 websites a day are being compromised by cyber hackers – most of those will be the public face of one SME or others.
Becoming a victim of a hack or breach costs smaller firms between £65,000 and £115,000, according to the PWC survey of the worst data breaches among small firms. Those worst hit will suffer up to six breaches a year, PWC suggested, so the total cost could be even higher.
For a smaller firm finding that much cash to clean up after a breach could mean the difference between keeping trading and going bust.
This lack of focus on cyber security is understandable, as most small and medium-sized enterprises (SMEs) spent most of their time on core commercial activity such as keeping customers happy, seeking out new clients and engaging in all the basic day-to-day admin needed to keep their enterprise afloat.
So worrying about computer security comes a long down their To Do lists.
However, ecommerce, websites, apps, smartphones, tablets, social media and cloud services were all now standard ways of doing business in the 21st century, he said.
Additionally, there were some SMEs that were based entirely around technology but that did not make them experts in how to keep their digital business secure.
Either way, everyone is a target and they all need to look externally to security firms for help.
Everyone is familiar with attempts to penetrate internal networks to steal payment information or customer data records but may be less knowledgeable about invoice fraud, ransomware, malvertising, or even attacks that “scrape” websites with automated tools to steal all the information about prices and products they contain.
Estimates vary on how much SMEs spend on IT security.
The most recent government figures published 18 months ago suggest SMEs with 100 or more employees spend about £10,000 per year. The smallest small firms, with less than 20 staff, spend about £200. Other estimates put the spend at about £30 per employee.
SMEs should start with the basics.
This includes anti-virus software, firewalls, spam filters on email gateways and keeping devices up to date. This, would defeat the majority of the low level threats that those busy cyber thieves are churning out.
Government advice on how SMEs can be safer revolves around a 10 steps programme that emphasises basic, good practice. It’s big on those simple steps such as keeping software up to date and applying the widely used software tools that can spot and stop the most prolific threats.
But it also stresses that smaller firms understand more about how they use data and how it flows around their organisation.
Having a good sense of where data goes and who uses it can help limit the damage if it goes astray.
Having control of that data, knowing its value and where it is going, can help a company guard against it leaking out accidentally and maliciously. For instance, having that control might help a firm spot that a server was accidentally exposed to the net and private information was viewable by anyone.
It can also help SMEs keep an eye on their suppliers and partners to ensure that data is handled appropriately.
And finally, said Mr Harrison from Exponential-e, firms need to put in place a plan for what happens when a breach or security incident does occur.
“It’s not a question of if something bad will happen,” he said. “It will, but it’s all about what they do about it.”