SMEs looking to grow in 2019 are being warned to ensure their cyber security credentials stand up to scrutiny or risk losing hard-won business.
“You may have the greatest product or service on the market, but it will mean nothing if you can’t provide customers with the confidence that your business is secure,” commercial lawyer Alison Loveday at global law firm, Kennedys says:
“Small businesses and start-ups often take the view that their size means they won’t be of interest to hackers or cyber criminals. They need to think again. Cyber criminals have learnt that they can often get access to much larger businesses, via their supply chain – typically made up of small businesses and start-ups. In some of the more recent high-profile hacks, where data has been leaked, access has been obtained through the SME supply chain.”
As a result, cyber security credentials have become a deciding factor in whether businesses win contracts, says Alison. “I’ve seen time and time again, particularly in fast-growing SMEs, where the product or service is second to none, but when a potential customer carries out due-diligence on their security credentials, they fail to meet supplier standards and end up losing the business to someone who can provide corporate customers with the security they demand.”
Alison says that in 2019 it will become increasingly important for businesses to be able to demonstrate what safeguards and controls they have in place, and how they manage and protect data. Unless a business can demonstrate this, then it may well find it is unable to win new business and equally as bad, may be removed from existing supply lists.
Alison offers the following essential tips:
- Make cyber security as important as other risks: In the same way that health and safety and financial risks are key business risks, SMEs need to carefully and continuously consider what the current cyber risks are.
As cyber criminals are getting more sophisticated and ‘learn on the job,’ understanding cyber risks is as important as making sure there is enough money to pay staff.
“The reality is that such attacks are now so prevalent it is more a question of when, rather than if, a business will be attacked,” says Alison.
- Have a plan: Awareness is the first step, but this must be backed up by a plan which clearly outlines who will do what in the event of an attack.
Planning for a cyberattack is a crucial part of any businesses’ disaster recovery plan. There is a need to act quickly and effectively and do everything possible to protect data and minimise any reputational damage.
- Training: Research by the National Cyber Security Centre has revealed that only a third of boards have received training to deal with a cyberattack and 10% still have no plan to respond to any such incident.
The right kind of staff training is key. A tick box approach is wholly inadequate. Your work force should be your first line of defence. No matter how much investment goes into IT infrastructure, it shouldn’t be forgotten that very often cyberattacks happen following innocent or deliberate breaches by individual employees of a company’s processes or procedures.
- Think about your online profile: Potential customers and banks already turn to credit reference agencies before entering into contracts. We will see the development of a similar type of rating for a businesses’ online presence, including a rating of how open to a cyberattacks the business is.
- GDPR has not been and gone: GDPR is very definitely legislation that needs to be kept front of mind. Under the GDPR rules individuals can bring a claim not simply for financial loss, but also for non-financial losses, such as distress and inconvenience.
Where a data breach impacts thousands of individuals, this can mean the value of claims is very significant. Most recently a group action against British Airways was commenced for over £500 million, representing losses to over 400,000 individuals, so the numbers are big. You are not immune.
- React immediately if the worst happens: Most damage is done in the first 24 hours, so if your business suffers a cyberattack, act immediately.
You will need to consider whether notification to the Information Commissioner’s Office is appropriate or necessary, immediate communication to customers and contact your insurer to see what assistance they can provide.
You should also consider what compensation can be offered to try and restore client relationships. For example, if a customer’s bank details have been leaked then a voucher can be provided to pay for monitoring by a credit agency.