A risk-based approach to cybercrime for SMEs



It's very hard to stop a determined burglar getting into your house.

If they were to watch your comings and goings every day, determine what alarm system you had set, maybe even found a way to cut the electrics to your house to stop it going off, then picked the lock of your secure front door (or even jimmy'd open a window), drugged your guard dog or bribed your neighbour for the spare key... eventually they'd find a way in.

This is similar to most systems that reside on the internet. A skilled, determined and patient hacker will eventually find their way into your system. However, in the same way that by double locking the front door and setting the burglar alarm before we go on holidays deters most criminals enough to go after easier prey, doing the basic security practices is usually enough.   

You certainly wouldn't go on holiday leaving your windows wide open. However that seems to be what most small business do.

The threats to small businesses from Cyber Crime are ever present, and the ability of a business to protect itself and minimise risk is critical to it’s overall success. The good news is that a few basic steps will drastically reduce the amount of risk to your business from the key threats. These steps are simple:

  • Installing anti-virus/malware software on all machines
  • Keeping software up-to-date
  • Using network and host based firewalls
  • Practicing good security habits, such as recognising and deleting malicious emails
  • Ensuring good password practices are in use

In addition, if you are storing your customer's data, you must:

  • Identify the costs of cleaning up after a breach or malware incident
  • Identify the costs of fines due to the loss of personal data or failing to meet other compliance requirements

Ultimately though, the more you invest in security measures, the safer your customer data and your IP will be from theft or ransomware. So, the question is, should your business be looking to further reduce risk, or are the basic measures enough? Before you can make this decision there are a few factors to consider. 

  • If you were a victim of cyber crime, and all your IT systems became unavailable, or all your data was compromised/lost, what would the financial costs be?
  • If you were a victim of cyber crime, and all your IT systems were unavailable, or all your data was compromised/lost, what would the potential damage to the reputation of your business be?

In reality, both of these factors come back to the financial cost, as a loss of reputation is likely to lead to a loss of customers, as Talk Talk found out after their very public breach.

So, when considering IT security measures, the cost of these measures should be evaluated against the cost of a breach and how likely a breach is to occur. Once these factors are known, the business value of security spending can be established, ensuring the security measures put in place match the risk profile of the business. 

The first step in assessing and minimising the risks to your business is to ensure you have the right skills available to do this effectively. Safebear can offer courses to help you cost-effectively develop these skills within your business, or can provide skilled security experts to guide you through the process.

Don't leave your windows open to cyber criminals. Ensure your employees are trained to do the basics right.