SMEs under pressure from all sides to prove IT security.

It’s not just hackers that are testing businesses’ defences; it’s their clients, too – looking for reassurance that those they work with are keeping their data secure.

There are already plenty of reasons for SMEs to take cyber security seriously. For a start, you don’t need to be a high street name to be attacked. SMEs are frequent targets. In fact, the Federation of Small Businesses estimates those it represents are hardest hit by cyber crime, with smaller firms in the UK suffering attacks or breaches seven million times per year. The government’s Cyber Security Breaches Survey 2017, meanwhile, finds that the proportion of medium sized firms subject to at least one cyber security breach or attack in the last 12 months is about the same (66%) as for large firms (68%).

We also know the regulator won’t accept size as an excuse for basic security lapses: earlier this summer the Information Commissioner’s Office fined one small business £60,000 for failing to take basic steps to stop its website being attacked.

As the ICO enforcement manager put it: “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.”

Cyber contracts

In one sense, though, it doesn’t matter whether or not firms are convinced they’re at risk. All they need to know is that their clients are.

A recent survey found that big businesses are increasingly questioning the cyber security of those they contract: a third of SMEs say their security measures have been queried during contract negotiations in just the last year; half say they’ve had cyber security clauses added to their contracts in the last five years.

That’s not surprising;  ever since the attack on giant retailer Target in 2013 when 40 million customer details were leaked as a result of network credentials stolen from its air-conditioning subcontractors, it’s been well recognised that suppliers can be the weak link for big business.

Knowing the standard

To win busines, then, small companies need to meet big businesses’ expectations. For that it’s worth knowing what they might be. At the moment, the evidence is many probably don’t.

Returning to the government survey, only about a quarter (24%) of small businesses were aware of the information security standard ISO 27001, (and still far fewer than half of medium sized business – 38%); just 15% were aware of the government’s 10 Steps guidance (and 27% of medium sized firms).

If SMEs want to be successful, that’s going to have to change. They’ll increasingly not only have to be familiar with the basic steps to ensure security, but be able to prove they’ve put them in place – not just to satisfy big business, but growing expectations from other forward-thinking SMEs and consumers, too.