Small businesses especially vulnerable to data breaches

By Benjamin Salisbury

Data breaches targeting large companies grab all the headlines. But small businesses are at risk, too. If you own a small business, there are ways you and your employees can shore up your defenses.

In October 2014, Ed Vaizey, minister for culture and the digital economy, said small businesses are "particularly vulnerable to cyber-security breaches that can result in hundreds of thousands of pounds worth of damage."

Recent data backs that up. Research by PricewaterhouseCoopers (PwC) on behalf of the Department for Business, Innovation and Skills found that although the number of security breaches fell slightly in 2014, there has been a significant rise in the cost of the worst breach a small business suffered in the previous 12 months -- from an average range of £35,000 to £65,000 in 2013, to an average of £65,000 to £115,000 in 2014. small-business-cyber-crime

And though the number of breaches has dropped, they're still high. Among small businesses in the UK, 60% have suffered a security breach in the last 12 months, half of which were classified as a "serious incident". According to the PwC research, 10% of organisations that suffered a breach in the last year were so badly damaged by the attack that they had to change the nature of their business.

"Cybercrime poses a real and growing threat for small firms and it isn't something that should be ignored," Mike Cherry, national policy chairman of the Federation of Small Businesses, said in an emailed response to questions.

According to Cherry, the cost of crime can act as a barrier to growth. For example, he said, many businesses will not embrace new technology, as they do not believe they will get adequate protection from crime.

"Breaches are becoming more sophisticated and their impact more damaging," says Andrew Miller, cyber security director at PwC. "As the average cost of an organisation's worst breach has increased [in 2014], businesses must make sure that the way they are spending their money in the control of cyber threats is effective. "

What are the biggest threats?
Around three in 10 members of the Federation of Small Businesses have been a victim of fraud, typically by a customer or client (13%) or through "card not present" fraud (10%), according to a May 2013 FSB report.

The most common causes of payment system fraud and cybercrime come from employees of the firms not being careful with passwords and other security measures. Staff can expose their company to threats by using weak passwords; by using outdated software and external devices that can introduce malware into IT and payments systems;  by opening emails that contain viruses; or by using unsafe websites on their company computers that introduce infected code.

According to the FSB data, 20% of respondents said they have fallen victim to virus infections;  8% have been a victim of hacking and 5% suffered security breaches.

How to protect payments, payment systems
The first step to preventing breaches at your business is being aware that you're vulnerable. There is an assumption that cybercriminals and online fraudsters just go for big banks or businesses, but this is false.

Big firms and banks have the resources to protect themselves and make things more difficult for criminals. The reality is that all types and sizes of businesses are a target for cybercriminals and most businesses don't know they have a problem until their online payment system has been breached.

Emma Philpott, the government's cyber security clusters champion, recommends the website for "quick, bite-size, non-techy advice on keeping the cyber criminals at bay."

There are many simple, inexpensive steps small businesses can take to fight point-of-sale payment fraud and other online security threats.

These include implementing a secure password system that is changed regularly, and security protection that combines anti-virus, anti-spam and firewall solutions. Business also should carry out regular security testing and risk assessments on payment systems and information systems.

See related: Tax office cracks down on unreported credit card revenue, Is it a good idea to use a credit card to start a business?

Published: 14 November 2014