SMEs under pressure from all sides to prove IT security.
Itโs not just hackers that are testing businessesโ defences; itโs their clients, too โ looking for reassurance that those they work with are keeping their data secure.
There are already plenty of reasons for SMEs to take cyber security seriously. For a start, you donโt need to be a high street name to be attacked. SMEs are frequent targets. In fact, the Federation of Small Businesses estimates those it represents are hardest hit by cyber crime, with smaller firms in the UK suffering attacks or breaches seven million times per year. The governmentโs Cyber Security Breaches Survey 2017, meanwhile, finds that the proportion of medium sized firms subject to at least one cyber security breach or attack in the last 12 months is about the same (66%) as for large firms (68%).
We also know the regulator wonโt accept size as an excuse for basic security lapses: earlier this summer the Information Commissionerโs Office fined one small business ยฃ60,000 for failing to take basic steps to stop its website being attacked.
As the ICO enforcement manager put it: โRegardless of your size, if you are a business that handles personal information then data protection laws apply to you.โ
Cyber contracts
In one sense, though, it doesnโt matter whether or not firms are convinced theyโre at risk. All they need to know is that their clients are.
A recent survey found that big businesses are increasingly questioning the cyber security of those they contract: a third of SMEs say their security measures have been queried during contract negotiations in just the last year; half say theyโve had cyber security clauses added to their contracts in the last five years.
Thatโs not surprising; ever since the attack on giant retailer Target in 2013 when 40 million customer details were leaked as a result of network credentials stolen from its air-conditioning subcontractors, itโs been well recognised that suppliers can be the weak link for big business.
Knowing the standard
To win busines, then, small companies need to meet big businessesโ expectations. For that itโs worth knowing what they might be. At the moment, the evidence is many probably donโt.
Returning to the government survey, only about a quarter (24%) of small businesses were aware of the information security standard ISO 27001, (and still far fewer than half of medium sized business โ 38%); just 15% were aware of the governmentโs 10 Steps guidance (and 27% of medium sized firms).
If SMEs want to be successful, thatโs going to have to change. Theyโll increasingly not only have to be familiar with the basic steps to ensure security, but be able to prove theyโve put them in place โ not just to satisfy big business, but growing expectations from other forward-thinking SMEs and consumers, too.