Business Law & Compliance

Planning business growth in 2019? Get cyber security savvy first

6 min read

04 January 2019

SMEs are being warned to ensure their cyber security credentials stand up to scrutiny or else they could risk losing hard-won business.

You may have the greatest product or service on the market, but it will mean nothing if you can’t provide customers with the confidence that your business is secure.

Small businesses and start-ups often take the view that their size means they won’t be of interest to hackers or cyber criminals. They need to think again.

Cyber criminals have learnt that they can often get access to much larger businesses, via their supply chain – typically made up of small businesses and start-ups.

In some of the more recent high-profile hacks, where data has been leaked, access has been obtained through the SME supply chain.

As a result, cyber security credentials have become a deciding factor in whether businesses win contracts.

I’ve seen time and time again. Particularly in fast-growing SMEs, where the product or service is second to none, but when a potential customer carries out due-diligence on their security credentials, they fail to meet supplier standards.

At worst, they can end up losing the business to someone who can provide corporate customers with the security they demand.

In 2019 it will become increasingly important for businesses to be able to demonstrate what safeguards and controls they have in place, and how they manage and protect data.

– Unless a business can demonstrate this, then it may well find it is unable to win new business and equally as bad, may be removed from existing supply lists.

Here are my essential tips for preparing for this new reality:

1. Make cyber security as important as other risks

In the same way that health and safety and financial risks are key business risks, SMEs need to carefully and continuously consider what the current cyber risks are.

As cyber criminals are getting more sophisticated and ‘learn on the job,’ understanding cyber risks is as important as making sure there is enough money to pay staff.

The reality is that such attacks are now so prevalent it is more a question of when, rather than if, a business will be attacked.

2. Have a plan in place

Awareness is the first step, but this must be backed up by a plan which clearly outlines who will do what in the event of an attack.

Planning for a cyberattack is a crucial part of any businesses’ disaster recovery plan. There is a need to act quickly and effectively and do everything possible to protect data and minimise any reputational damage.

3. Get some training

Research by the National Cyber Security Centre has revealed that only a third of boards have received training to deal with a cyberattack and as many as 10% still have no plan to respond to any such incident.

The right kind of staff training is key. A tick box approach is wholly inadequate.

Your work force should be your first line of defence. No matter how much investment goes into IT infrastructure, it shouldn’t be forgotten that very often cyberattacks happen following innocent or deliberate breaches by individual employees of a company’s processes or procedures.

4. Think about your online profile

Potential customers and banks already turn to credit reference agencies before entering into contracts.

We will see the development of a similar type of rating for a businesses’ online presence, including a rating of how vulnerable and open to a cyberattacks the business is.

5. GDPR has not been and gone

GDPR is very definitely legislation that needs to be kept front of mind. Under the GDPR rules individuals can bring a claim not simply for financial loss, but also for non-financial losses, such as distress and inconvenience.

Where a data breach impacts thousands of individuals, this can mean the value of claims is very significant. Most recently a group action against British Airways was commenced for over £500 million, representing losses to over 400,000 individuals, so the numbers are big. You are not immune.

6. React immediately if the worst happens

Most damage is done in the first 24 hours, so if your business suffers a cyberattack, act immediately.

You will need to consider whether notification to the Information Commissioner’s Office is appropriate or necessary, also ensure you make immediate communication with your customers and contact your insurer to see what assistance they can provide.

You should also consider what compensation can be offered to try and restore client relationships.

For example, if a customer’s bank details have been leaked then a voucher can be provided to pay for monitoring by a credit agency.