Small UK businesses face cyber security challenges & solutions

Cyber security has become an increasingly critical issue for businesses within the UK, with the UK Government's Cyber Security Breaches Survey 2023 estimating 2.39 million instances of cybercrime affecting businesses in the past 12 months.

Small businesses, in particular, face significant challenges in navigating the complex landscape of cyber threats.

Rob Rees, Divisional Director at Markel Direct, emphasises the importance of understanding the relevant laws and regulations to mitigate risks effectively.

According to Rees, businesses in the UK must be cognisant of four primary laws and regulations concerning cyber security. Firstly, the Data Protection Act 2018 (DPA) governs the processing of personal data, ensuring its lawful handling and the protection of individuals' privacy rights. Secondly, the UK GDPR and EU GDPR are comprehensive data protection frameworks that dictate the processing of personal data, safeguarding the rights and freedoms of individuals within the UK and the European Union. Even after Brexit, businesses catering to EU customers must comply with both frameworks.

The third regulation is the Network and Information Systems (NIS) Regulations 2018, which mandate that operators of essential services and digital service providers secure their network and information systems to lower the risks of cyber threats. Lastly, the Computer Misuse Act 1990 criminalises unauthorised access to computer systems, including unauthorised access with the intent to commit further offences and unauthorised modification of computer material.

Larger businesses often have dedicated teams to assist them in adhering to these regulations, whereas smaller businesses typically do not have the same resources. To aid smaller enterprises in safeguarding against cyber threats, Rob Rees outlines five crucial strategies for cyber security.

First, conducting a risk assessment is essential. Business owners should thoroughly evaluate potential vulnerabilities and threats to their digital assets and data. Markel Direct offers a cyber risk assessment tool that helps businesses identify these potential risks and provides guidance on mitigation.

Secondly, crafting a comprehensive cyber security policy is vital. This policy should include guidelines for employees that cover aspects such as secure password practices, email usage protocols, and phishing detection. The policy must also ensure compliance with wider regulations like GDPR, detailing procedures for data transfer consent, breach notifications, and user data rights. Moreover, it should outline the use of software to protect data and the company's response plan in the event of a cyber-attack.

Investing in employee training is the third essential measure. Given that human error is responsible for approximately 90% of cyber-attacks, staff education on best practices for cyber security is crucial. Training should focus on identifying phishing emails, recognising suspicious behaviour, and securing data handling procedures.

Fourth, implementing robust cyber security measures is necessary to protect IT infrastructure and data assets from unauthorised access. This may involve deploying firewalls, installing antivirus software, and using encryption tools among other security technologies.

The fifth strategy is ensuring adequate insurance coverage against cyber-attacks. Not all business insurance policies include protection against cyber threats, so it is important for businesses to review their current policies and consider additional coverage if necessary. Cyber insurance can cover financial costs associated with handling and recovering from cyber-attacks, such as notifying clients of data breaches and restoring compromised data and equipment.

Navigating the cyber security landscape can seem daunting for small business owners. However, understanding and implementing these strategies can significantly mitigate potential threats, helping to keep businesses and their customer data secure.