A third of UK SMEs have no cybersecurity strategy

A report from the Business in the Community details worrying cybersecurity trends among SMEs in the UK.
19 March 2019

UK businesses aren’t acting on growing cybersec risks. Source: Unsplash

A third of SMEs in the UK have no cybersecurity strategy in place, according to a report by Business in the Community (BITC), while just 35 percent have basic data protection policy and just 29 percent have a policy for controlling access to systems.

Retail (43 percent), construction (39 percent) and real estate (36 percent) have the fewest cybersecurity measures in place. The transportation and distribution sector also fall into the same category (34 percent).

Worryingly, 18 percent of businesses in London and 20 percent of businesses in both the East of England and East Midlands indicated they have no cybersecurity measures in place. Meanwhile, 40 percent of businesses in Wales and 32 percent of businesses in the North East also indicated that they have no measures in place.

The report recommends, in line with the UK’s National Cyber Security Centre (NCSC), that SMEs follow four steps at a “bare minimum” to ensure they have a base level of cybersecurity in place:

  • Businesses should use a firewall to secure an internet connection.
  • Choose the most secure settings for devices and software.
  • Control who has access to data and services with passwords and user-specific accounts.
  • Use antivirus software and utilize the auto-update mechanism to keep everything up to date.

In the last year, 40 percent of SMEs in the country have not undertaken any cybersecurity action, which includes policies, insurance, and staff training.

The NCSC advises that all businesses should have an overall security policy that includes cyber security and resilience.

To ensure compliance with your policies across an organization, the group recommends mandatory and regular training for all employees that explains the latest and best practices for being safe online.

This will ensure cybersecurity and resilience is embedded as part of the culture of the workplace and will reinforce that everyone has a role to play.

The report also recommends that businesses follow organizations like NCSC on Twitter for up-to-date alerts on current cyber threats.

Cybersecurity training for employees is an issue that is still not being taken seriously among small and medium-sized enterprises. 31 percent of them think that it’s not necessary, and 28 percent have no reason for their attitude.

Other reasons for this lackadaisical attitude include a lack of knowledge of training, the belief that it’s too difficult to implement, not knowing which training provider to go with, and the possible high costs associated with these courses.

Cybersecurity insurance adoption rate is another issue that most SMEs are lagging behind with. 28 percent of them think it’s not necessary while 27 percent have no reason for their approach to the matter at hand.

Cyber insurance can help business cover the cost of business interruption from a cyberattack, from financial damage resulting from loss of customer data, as well as repairing or replacing damaged equipment.

Cyber insurance gives you access to specialists who can at short notice help to stop an attack and get back to business quickly.

Insurance could also help with managing your company’s reputation should a breach occur, and paying any associated fines as a result of breaching regulations.

Thankfully, when it comes to backing up essential data, almost 50 percent of SMEs understand the importance of carrying out this mundane task.

The NCSC advises automatically backing up data, and ideally, this would be done in more than one place, for example using a cloud provider, so that a company will always have the latest files available.