Why businesses need to invest in cyber security

Small and medium-sized businesses still struggle to invest in cyber security, even with cyber-attacks continuing to pose a significant threat. Cyber security breaches and attacks continue to be a common threat to businesses and charities of all sizes. More than 70% of business leaders have seen an increase in attacks in the last 12 months compared to the previous year*.

Despite the financial and reputational damage that cyber-attacks can cause, and the growing awareness of cyber-security in the UK, there is still a reluctance to invest in putting appropriate measures in place to combat cyber-threats. Small and medium-sized enterprises (SMBs), in particular, face a number of challenges when justifying expenditure on implementing cyber security measures.

• Direct financial loss and the long-term negative impact on brand reputation are drivers for businesses implementing cyber security
• Many SMBs feel their size and nature of operations means they are not attractive targets for cyber criminals. This underestimation of risk leads to businesses only implementing basic security measures
• Lack of internal knowledge of cyber security and the tools available also contribute to fewer SMBs implementing appropriate security measures
• With SMBs continuing to adopt digital tools that help manage all aspects of their business, their risk to being exposed to cyber security threats grows stronger
• MSP/ MSSPs can provide valuable advice on best practice and security tools to help business invest in effective cyber security.

At Moremicro, we have been observing a growing trend of customers starting to take cyber security more seriously. Their motivations range from needing specific security standards in place to remain competitive and win business, to indirect experience of attackers holding business to ransom for significant amounts of money.

In their Cyber Readiness Report 2024, Hiscox report that:

• Payment diversion fraud was the most common outcome of cyber attacks, affecting 58% of surveyed organisations
• Nearly half of organisations (47%) that had experienced an attack found it difficult to attract new customers. 43% reporting they had lost business as a result
• 35% of UK business leaders avoiding reputational damage as a main reason for having a cyber risk management plan in place.

Unlike direct financial losses, reputational damage and lost business can be harder to quantify and have a potentially damaging and long-lasting consequence on business. As can losing competitive advantage if customers expect a specific level of security measures or credentials to be in place.

As a result senior management in three-quarters (75%) of UK businesses consider cyber security to be a high priority. For larger organisations this figure rises to 98%.

Leading cyber security platform, SentinalOne highlights that cybercriminals find SMBs easier to target due to their lack of security measures. Even with compelling reasons why SMBs need to adopt cybersecurity measures, many experience barriers to investing in the technology required.

Businesses operating on a tight budgets and fewer staff can find it challenging to allocate sufficient resources to manage cyber security. Often a choice must be made between investing in cyber security or other business priorities.

Financial constraints can impact the purchase of cyber security tools and employee education programmes, as well as restrict the ability to invest in dedicated and skilled professionals. Employing a cyber security expert is unlikely to be on the top of the SMB recruitment list, meaning responsibility for cyber security falls onto an already busy team who are focussing on immediate business needs (revenue generation, daily operations).

Quantifying the benefits of implementing cyber security can be challenging for SMBs. Without concrete return on investment figures it can be hard to justify cyber security costs to decision-makers.

However, steps can be taken to quantify the ROI in monetary and reputational terms using approaches including;

• calculating savings made from preventing a breach e.g. avoiding organisational downtime, legal fees and customer compensation
• evaluating the cost of potential fines that a business may incur for not meeting required regulations
• identifying the value of customers who chose the business due to security measures in place
• surveying customers on trust, loyalty and satisfaction levels.

A common perception in SMBs is that their cyber security risk is low. After all, they are relatively insignificant compared to larger companies right? Unfortunately, it’s not quite as simple as that. Thinking your company is too small, or that your data and systems are not valuable enough to be targeted is a common misconception.

Due to fewer security measures being in place, attackers consider smaller organisations easier targets.

At the very least it is essential that businesses of all sizes follow basic elements of cyber security best practice to keep their people and systems safe from threats. In the same way you wouldn’t leave an unattended car unlocked, there are straightforward measures including 2-factor authentication (2FA) and password managers that can provide a basic level of deterrent to criminals.

Aim to be more secure than the next target on the list.

With the complex and ever-changing nature of cyber security, it is not surprising that many SMB leaders have limited understanding of cyber threats and best practices. This in turn leads to businesses being unaware of the potential vulnerabilities in their systems and how exposed they are to an attack.

Choosing the most appropriate solution for a business can also be difficult due to the number of options available on the market. Security tools can be complex and require experience to utilise them effectively. The combination of these factors is enough for SMBs to shelve a cyber security project for the immediate future, if not deter them completely.

By following policies and best practices everyone in an organisation plays a crucial role in maintaining cyber security. However, it is the responsibility of senior management to ensure proper cyber security measures are in place.

As with other specialist business functions (marketing, HR, accounts) businesses have the option to work with an external specialist in cyber security.

Here are some key services that an Moremicro can provide:

1. Guidance on Cyber Essentials accreditation
Guide you through the process of gaining Cyber Essentials accreditation, which helps protect your business from common cyber attacks.

2.Robust cloud security measures
Implement comprehensive cloud security measures, including advanced threat detection, secure access management, and data encryption, to ensure your operations remain resilient against evolving cyber threats.

3.Regular security protocol assessments
Regularly assess and update security protocols to identify vulnerabilities and ensure compliance with the latest industry standards.

4.Employee education
Provide a regular program of cyber awareness training to empower employees with the knowledge required to be the first line of defence against attacks.

5.Expert advice
Act as your business’ trusted security advisor to help plug knowledge and resource gaps in a manageable way.

These services can help your company maintain a strong defence against cyber threats, ensuring your people, data and reputation are protected.

If you have any specific concerns or need further details, feel free to ask!