Why Every Small Business Needs a Cybersecurity Plan (Even With No IT Budget)

Cyberthreats targeting small businesses are steadily increasing, with the Department for Science, Innovation and Technology (DSIT) reporting that 42% of small businesses experienced a cyber threat or breach in the past year.

This challenges the misconception that cybersecurity is only necessary for big companies or businesses with large IT budgets.

For small business owners, the core focus of preventing cyber threats is about balancing potential risk with their growth potential and limited resources.

Smaller businesses are potentially seen as an easy target by attackers because of their limited defences. Furthering this point, DSIT reported that 35% of micro businesses were also victims of cyber attacks in the past year.

Common Threats

• Phishing: These attacks are becoming more sophisticated, as attackers are using AI-driven emails and messaging to trick staff into revealing sensitive data or login credentials.
• Ransomware: These are highly disruptive attacks where criminals encrypt business data and demand payment for its release. Double extortion tactics are common, where data is both encrypted and threatened with public release if the ransom is not paid.
• Malware: These include viruses and spyware, which can steal, damage, or lock data and systems.
• Supply Chain Attacks: Attackers aim to reach small businesses through the vulnerabilities in their suppliers, cloud services, or outsourced IT providers.
• Data Breaches: Unauthorised access to sensitive business or customer data, often resulting from phishing, malware, or weak credentials.

Consequences of Cyber Attacks

• Financial Loss: Smaller businesses may face immediate financial losses from stolen funds, ransom payments and instances of fraud. There are also indirect costs such as hiring experts to investigate, taking action to repair the damages, legal fees, and regulatory fines, as well as the cost of implementing renewed security measures.
• Reputational Damage: For small businesses, the loss of customers’ trust can be a devastating blow, especially if they were to take their business to competitors. Negative word-of-mouth can spread and affect the reputation of the business.
• Potential Business Closure: Financial losses, downtime, and loss of customer trust can be difficult to recover from, especially if critical data and backup are lost.

People might think that business size doesn’t matter to cybercriminals, but that is far from the truth. Micro businesses have a lot of valuable data that is useful to attackers. This data includes customer information and their payment details, as well as trade secrets

Hackers tend to automate their attacks, making the size of a business irrelevant. They use software and bots to scan the internet for vulnerabilities, not particularly for a specific company or size.

The type of weaknesses that cyber criminals look for includes outdated software or weak passwords, irrespective of the business or industry they belong to. Once a vulnerability is found, the attack is launched.

According to the DSIT report,  the average cost of cyber breaches for micro or small businesses was £3,400.

However, there are multiple factors that contribute to these losses, including operational downtime, having to pay for regulatory fines, the loss of customer trust and subsequent lower retention levels, and intellectual property theft.

Cyber insurance may not cover all losses if basic protections are not in place before the incident. After a breach, premiums can rise, or coverage may end up being reduced.

For smaller businesses, understanding that the IT budgets might be limited is key to finding out what measures are possible for protecting a small business. Keep in mind that consistency and simplicity can make all the difference.

• Step 1: Identify the most valuable digital assets of the company. This includes data, systems, customer information, business emails, intellectual property and financial records.
• Step 2: Leverage low-cost resources, such as open-source security tools like free antivirus software, firewalls, and password managers. Tap into industry resources and leverage employee training.
• Step 3: Implement practical steps by creating strong password policies, using multi-factor authentication, regularly backing up data, and limiting employee access to sensitive data, which will reduce insider threats. Ensure that you keep software updated by making use of auto-update features.
• Step 4: Educate staff on potential threats, how to identify phishing attempts, and how to report these attempts.

• Build Customer Trust: Demonstrating strong data protection and communicating it to customers improves trust. Highlight certifications and provide customers with transparent responses.
• Use Cybersecurity As A Selling Point: Differentiates from competitors by emphasising the robust data protection in marketing materials, proposals and sales pitches. Customers, especially B2B partners, prefer vendors that have in place strong cybersecurity practices.
• Attract Investors and Partners: A cyber-resilient business is more attractive to partners, investors, and clients, as it is a sign of responsible business management. Having robust security is often valued higher as it makes the risk profile of the business lower.

• Make an inventory of digital assets to highlight vulnerabilities that need to be secured.
• Enforce strong password policies to help protect digital assets from vulnerabilities and breaches.
• Use an online password manager to generate and store passwords, instead of writing them down.
• Make use of multi-factor authentication tools as an added layer of protection.
• Back up data regularly.
• Train staff on phishing and safe online practices to reduce threats. They will be able to identify threats and alert IT teams.
• Use free or low-cost security tools to keep in line with your budget.
• Monitor accounts and systems for suspicious activity to prevent breaches.
• Have in place a response plan for incidents.

Cybersecurity isn’t a luxury for large businesses or those with larger IT budgets; it is a necessity for survival and growth of any-sized business. Small businesses can take meaningful steps to protect themselves even without an IT budget. To make the most out of your means, start small, stay consistent, and make cybersecurity a core part of the business strategy. This way, you will protect your customers’ peace of mind while positioning yourself as a leader in your industry.

Photo by Tima Miroshnichenko: