The report, ‘Cyber Resilience: How to protect small firms in the digital economy,’ suggests smaller firms are collectively attacked seven million times per year, costing the UK economy an estimated £5.26 billion.
Despite the vast majority of small firms (93%) taking steps to protect their business from digital threats, two thirds (66%) have been a victim of cyber crime in the last two years. Over that period, those affected have been victims on four occasions on average, costing each business almost £3000 in total.
Cyber crime costs small businesses disproportionately more than big businesses when adjusted for organisational size. Currently the responsibility largely falls on small businesses to protect themselves . FSB is calling for more support to be given to those smaller firms least able to bear the burden of the increasing global cyber threat.
Almost all (99%) of the UK’s 5.4 million small firms rate the internet as being highly important to their business, with two in three (66%) offering, or planning to offer, goods and services online. Without intervention, the growing sophistication of cyber attacks could stifle small business growth and in the worst cases close them down.
Mike Cherry, FSB National Chairman, said: “The digital economy is vital to small businesses - presenting a huge opportunity to reach new markets and customers - but these benefits are matched by the risk of opportunities for criminals to attack businesses.
“Small firms take their cyber security responsibility very seriously but often they are the least able to bear the cost of doing so. Smaller businesses have limited resources, time and expertise to deal with ever-evolving and increasing digital attacks. We’re calling on Government, larger businesses, individuals and providers to take part in a joint effort to tackle cyber crime and improve business resilience.”
The types of cyber crime most commonly affecting small businesses are phishing emails (49%), spear phishing emails (37%), and malware attacks (29%) .
Small firms are also concerned about hacking and fraud when the card is not present, with the average information breach setting them back 2.2 days  .
To combat this, four in five small firms (80%) use computer securing software, and well over half (53%) perform regular updates of their IT systems.
The FSB report also found room for small firms to improve security. Currently just a quarter of smaller businesses (24%) have a strict password policy, four per cent have a written plan of what to do if attacked online, and just two per cent have a recognised security standard such as ISO27001 or the Government’s Cyber Essentials scheme.
Mike Cherry added: “Small firms are understandably focussed on building their businesses and creating the jobs which drive economic growth. The vulnerabilities of the digital world affects everyone and the responsibility for improving resilience should not be left to the group with least resource to do something about it.
“Security is important, but given that an element of risk will always be present when operating online, resilience must also be championed. Without a concerted effort to reduce cyber crime and improve resilience, small businesses could be at real risk.”
There needs to be significant simplification and consolidation of cyber security information provided by Government. The National Cyber Security Centre should become the hub for this, providing a one-stop-shop for advice and guidance for all small businesses alongside a determined marketing effort to ensure businesses are aware of it.
Schools should try to incorporate digital learning so that young people have a better understanding of the dangers of being online and are educated about how to be cyber secure.
There should also be better incentives for small businesses to encourage them to invest in cyber resilience measures and adopt best practice when it comes to increasing their cyber resilience.
The law enforcement response to cyber crime must be improved at the local, regional, national and international levels. There must be more investment by the Government in law enforcement resources to effectively tackle cyber crime. Businesses should be encouraged to report every crime and they must be reassured that it will be taken seriously.
Notes to editor
1) FSB report. ‘Cyber Resilience: How to protect small firms in the digital economy’, 9 June 2016. On behalf of FSB, Verve surveyed 1006 FSB members between 11 - 18 January 2016 on their perceptions and experiences of business crime over the last two years. For a copy of this report, please contact the press office.
2) Ponemon Institute, ‘2015 Cost of Cyber Crime Study: United Kingdom’, October 2015
3) Phishing is the process of sending malicious emails designed to trick the recipient into clicking on an attachment or visiting a fake website. Spear-phishing is more targeted, where an email appears to come from a genuine acquaintance.
4) Card not present fraud is fraudulent use of a payment card such as a credit card where the card is not physically presented to the merchant, rather payment takes place at a distance e.g. online.
5) Department for Culture, Media and Sport, ‘Cyber Security Breaches Survey 2016: Main Report’, 08 May 2016
As the UK’s largest business support group, FSB is the voice of the UK’s small businesses and the self-employed. Established over 40 years ago to help its members succeed in business, FSB is a non-profit making and non-party political organisation that’s led by its members, for its members. As the UK’s leading business campaigner, FSB is focused on delivering change which supports smaller businesses to grow and succeed.
FSB offers members a wide range of vital business services, including access to finance, business banking, legal advice and support along with a powerful voice in Government. Each year FSB also runs the UK’s Celebrating Small Business Awards. More information is available at www.fsb.org.uk. You can follow us on twitter @fsb_policy and on Instagram @fsb_uk.