The effect of such an attack on an SME is much the same as it is on a major company, it’s all about scale. A resulted loss of cash for a big company of say, £500K, would be just as bad as a loss of £50K on an SME. In fact, the hit on the SME might be a darn site worse as they are generally not financially robust enough to recover.
There has been a recent Cyber Security Breaches Survey, this year, conducted by the UK Government, which says that in the last 12 months, 39% of UK businesses identified a cyber-attack. Which is actually a little down on surveys carried out by organisations like Barclay Card. However, the period under examination was not as long. The survey concluded that, within the group looked at, 31% estimated that they were attacked at least once a week, and 1 in 5 said they experienced a negative outcome because of the attack.
A successful cyber-attack can cause major damage to your business. It can affect your bottom line, as well as your business' standing and customer trust. These impacts are broadly divided into three categories: financial, reputational and legal.
Turning to the financial costs, Cyber-attacks often result in a loss arising from:
- theft of corporate information
- theft of financial information (eg bank details or payment card details)
- theft of money
- disruption to trading (eg inability to carry out transactions online)
- loss of business or contract
- Potential fines from the ICO in cases of losses of personal data
And of course, In dealing with the breach, businesses will also generally incur costs associated with repairing affected systems, networks and devices.
It takes a long time building up trust between you and your customers and, building a reputation within your field, for reliability, high standards, good customer service, etc. A Cyber-attack can destroy that in hours. If you were to lose your customers data, especially personal data, you can quickly erode that hard won reputation. Imagine if you are in the supply chain for a major company and you are connected with them electronically in automate their ordering of whatever commodity you supply. And then you become an attack vector for a cyber-criminal who uses you to break into the network of the major company. Do you think you’d ever work for that company again? That loss of reputation will potentially lead to:
- loss of customers
- loss of sales
- reduction in profits
There are potential legal ramifications to a cyber-attack as well. I have mentioned the Data protection and privacy laws that require you to manage the security of all personal data you hold - whether on your staff or your customers. If this data is accidentally or deliberately compromised, and you have failed to deploy appropriate security measures, you may face fines and regulatory sanctions. I have seen advertisements now from law firms advertising no win no fee terms to represent individuals who have suffered a data breach. If you consider that in such a breach, individual records are almost always not lost, it is more likely that multiple records could be lost, which means multiple claims. And that on top of any fine which may be imposed by the ICO.
And of course, you could face legal action from a larger company if you were the attack vector via the supply chain.
So, given all of that, what do you need to do? Well, you need a business continuity plan to enable you to continue doing business whilst you get sorted out. You need to be able to respond to the attack to:
- reduce the impact of the attack
- report the incident to the relevant authority, in the case of personal data loss
- clean up the affected systems
- get your business up and running in the shortest time possible
This does not need to be an enormously costly thing to do. In fact, for many SMEs it can be quite a simple plan, but it does need to be a plan. You should not ignore this or it could cost you dearly, perhaps even cost you your business.
And I’ll bang my usual drum. Investing a relatively small amount in user training, education and awareness, is always money well spent.