05/03/2015

By Del Heppenstall, Director, KPMG’s cyber security practice


The past year has seen cyber security fast-tracked into the media spotlight with numerous retailers and banks being targeted by cyber criminals. Many SMEs have a view that these targeted attacks are aimed at large enterprises only. However, the reality is that cyber criminals do not discriminate when it comes to making money or taking intellectual property. As long as there is something to gain, like an identity or some sort of credential, then anyone is fair game.

The truth is that SMEs are facing exactly the same challenges as larger businesses – but with arguably fewer resources. With many SMEs operating as part of a wider and more global supply chain than ever before, it is common for larger organisations to issue third party security assessment questionnaires in order to understand how their supply chain protects theirs and their customer’s information and data. Indeed, according to research published by the Home Office in December last year, more than three quarters of procurement managers at big businesses require smaller suppliers to prove their cyber security credentials before selecting them.

For a fledging business that suffers a loss of customer data it can result reputational and brand damage or, worse, the loss of a contract and other customers in the supply chain. Beyond that, a data breach can lead to a loss of a competitive advantage if intellectual property is lost and finds its way into the hands of a competitor.

Cyber criminals use two obvious direct targeting methods to get at SME businesses. The first is around the use of the web, and the second are e-mail threats. Many SME’s are at risk when employees visit a compromised website or open malicious email attachments from their work device, which then use weaknesses in their security settings or missing patches to load malware onto the victim’s systems. The malware then compromises the computer or the browser, from then on the infected system can be used to attack more computers within the company, or steal information, steadily sending the compromised information and data to the cyber criminals.

The silver lining is that the ability to manage the risks through good housekeeping are simpler given the nature of the SMEs less complex IT infrastructure and fewer staff numbers.

Achieving Security Assurance for the SME starts from within and can be achieved by following a few simple steps. The starting point in mitigating cyber risk is to educate employees on good practice and on the value of the information that they hold and process in their daily work lives. This process starts by reviewing what important information a business holds and how it is protected. Once the employees understand what the key information is within the business and the causal effect if this were to be lost or stolen, they can begin to understand the true value and the personal impact on the success or otherwise of their employer, and how they can play their collective part in protecting this through good practice.

The government is also keen to support SMEs in mitigating cyber risk, by offering funding for organisations to address the challenge through the Cyber Innovation Voucher scheme where organisations can get £5,000 towards security related assessments or testing.

Teaching employees the basics can go a long way. Easy to say, and thankfully, with a few helpful tips, relatively easy to do:

• Change passwords regularly
• Install and use up to date anti-virus software
• Make sure your software has the latest patches applied
• Don’t click on emails that are obviously phishing attacks
• Use different passwords on their corporate accounts to those used in their personal online world

These are the same principles that can be applied at home and will help protect their credit cards, data and IT equipment. While the prospect of achieving Cyber Security Assurance can seem daunting and expensive, it is no longer a luxury for businesses large or small.