The UK's definition of an SME – a small to medium enterprise – is any business with up to 250 employees, but no upper floor on the financial threshold. Speaking at the Counter Terrorism Expo in London's Olympia today, the Federation of Small Business' Home Office and MoJ Policy Unit Chair Richard Parlour laid out just why cyber security is so critical for the sector.
According to Parlour, there are 5.8 million businesses in the UK and a staggering 99 percent of them count as SMEs. The FSB's job as a lobby group is, he says, to protect businesses, save them money, and also help them grow.
But recent figures show that 80 percent of SMEs hit by major cyber incidents don't live longer than two years after the fact – and although there's growing awareness about the importance of cyber security, many SMEs might still not be taking it into consideration.
"We cover business crime, and of the business crimes, cyber crime is our biggest issue and growing," Parlour said. "There's an awful lot of different threats out there, but the biggest one out there by far is cybercrime for us at the moment."
The FSB is trying to explain to its members that the risk they face from cybercrime is multifaceted – from hacktivism, criminal fraud, and "to a growing extent, corporate espionage."
Figures from Allianz's annual business risk report point to enormous growth in cyber crime as a threat, leaping from number five in the last report to third place this year. Security breaches are up, and the cost and scale of them has doubled over the last year.
Parlour said that in 2016, 71 percent of SMEs suffered some kind of security breach, and these come with potentially disastrous knock-on effects in addition to the initial damage: problems with supplier relationships, contract losses, or staff spending their time firefighting rather than focusing on business growth.
"Our survey we ran last year was a bit disturbing," Parlour said. "First of all, two thirds of SMEs thought they were not open to cyber attack, and only one in seven had improving cyber security as a top priority."
There was a lack of awareness for smaller companies who did not realise they were just as likely to be a target as the headline-grabbing breaches that hit TalkTalk and Yahoo.
"There's a growing awareness these people are part of a bigger supply chain and they can be the weaker link on the way in," Parlour explained. "Awareness is increasing, but it's quite slow at the moment. And of course a lot of the advice you'll see on various websites is things like: if you're subject to attack, have a look at your cyber controls. And people will say: ‘Thank you very much, now what will I do with that? So there needs to be detailed, simple, practical steps which SMEs can take."
There are some motivations in key areas for SMEs to take action on getting their security in order, notably in winning government contracts – for example they're unlikely to get far if they haven't got the Cyber Essentials programme in place.
"This is useful but it only goes so far – not a lot of SMEs are bidding for government contracts," Parlour said. "And there is a voucher scheme you can apply for up to £5,000-worth of assistance, but when you look at the details it's a bit disappointing. You can only spend it for a consultant to come in and tell you where the holes are in your cybersecurity, you can't use your own advisor, you have to use somebody from a government list.
"You can't spend the money on hardware to improve your systems, you can't spend it on software – so you think, what is this apart for jobs from a few government-approved cybersecurity consultants? We've made those points to government and hope to get those changed."
For its part, the FSB has put forward 47 policy recommendations to the National Cyber Security Centre (NCSC), and has also been involved in meetings with DCMS. It's encouraging members to get closer to the Cyber Essentials programme, and is also working with Her Majesty's Inspectors of Constabulary (HMIC) – a policing group that's currently working on drafting cyber policing standards for the UK.
"We're trying to make sure that gets implemented by putting a lot of political pressure on our police and crime commissioners, and others, to get that registered," he said.
Parlour believes that there won't be new laws incoming to specifically deal with cybercrime, except around incoming data security standards such as GDPR.
"You might have thought there would be quite a few new laws because cyber is developing very quickly, but there won't be any is the message," he said. "That means there's less to implement. There's not going to be an update of the Computer Misuse Act – a committee I was a member of about 25 years ago looked at the database of English criminal law, and tried to work out if we needed new offences in relation to cyber crime."
In short, there are already existing laws in place to deal with crimes online – they just don't specify that the crimes are online but can be applied to cyber.
The FSB is also arguing against fines for data breaches. According to Parlour, the group believes that the money that comes from fines would go to better use if it was required to upgrade their systems instead.
"In certain other parts of the UK economy that works quite well," he said, pointing to procedures in the financial sector. "There's no point fining people because then they've got less money to sort themselves out," he said. "Apart from filling up a bit more into government coffers, it doesn't do much to help."
He closed by saying Britain's approach to fighting cyber crime needs to look like an ‘integrated air defence system' designed to shoot down planes.
"What we wanted to say is: ‘why don't we have an integrated cyber defence system?" he asked. This might look like a combination of active UK-wide protection but also more encouragement for ISPs to filter out risks, or placing more of the onus on large companies to collaborate to prevent attacks. He said it could also include more stringent standards for baking security into software and hardware from the get-go.
"We've seen an awful lot of operating systems and software go out onto the market with absolutely no security and you get patch after patch and update after update," he said. "Not just a few, but every time you load it up there's thousands. If you did this in the car industry most of us would be dead because most of the cars would not be fit for purpose.
"Why don't we have a similar standard for releasing software and hardware? Why is it that software and app providers either don't build in security, or if they do build it in, the default setting is off?"
The FSB is currently in the process of updating its key security tips for SMEs, and it's led by an understanding of assessing where your most important data lies.
SMEs should work to understand what could happen to their data, and how to protect it. They should, Parlour said, work closely with IT suppliers, clear their policies and guidance for data privacy and BYOD, and follow the Cyber Essentials programme. SMEs should also bring in regular staff training every six months, regular back-up, off-site test recovery and insurance, introduce two-factor authentication for cloud services – and review all of the security procedures every six months.