Resist optimism bias over cyber security

Russell Haworth, CEO Nominet, on why cyber security should be taken seriously by small businesses 

How good a driver are you? Above average? Around 80% of us would say we were – but how can that be true? It can’t; 80% of us suffer from optimism bias, a tendency to expect better than average outcomes from our actions. It may be a positive way to approach the world, but when this rose-tinted thinking is applied to cyber security things can get nasty. 
Cyber attacks are becoming more prevalent and more damaging, and the ‘it won’t happen to me’ mentality doesn’t wash any more. For those running a business, complacency around cyber security is misplaced and foolhardy. The government’s most recent Cyber Security Breaches Survey reported that 43% of UK businesses identified a breach in the past year, yet only 67% spent money on cyber security measures. 

Even more worrying are the figures around small businesses, where optimism bias and limited resources combine to push cyber security further down the list of priorities. Two in five small businesses identified a breach in the previous year, and almost a fifth of these found it took them at least one business day to recover. If you work on tight profit margins, a day or two of lost trading could be devastating, especially when you factor in the threat of GDPR fines and the drop in customer trust that follows a breach or attack. 
Frankly, the survival of small businesses matters to us all. The UK can’t afford to lose the vibrant SME market that accounts for 99.9% of all organisations in the country. At Nominet, we have a responsibility to some of these businesses as we help them thrive online by acting as registry of the .UK domain. We help SME owners to recognise the risks that cyber crime presents via our blog and sister website The UK Domain. 

For some, recognising the risks is the easy step – the next concern is how to find the time and money to invest in improving cyber resilience with limited budgets. This may involve a careful look at the accounts and a discussion on how to make cyber security the priority it needs to be, as being cyber resilient is key to survival. 

Some SME owners may have limited experience of cyber security and find it hard to know where to start from a practical point of view. This shouldn’t inhibit action; basic protections are easy to implement and can prove effective, such as good password or stronger ‘passphrase’ management, backing up sensitive data and applying patches to old software. It is also important to review all areas of a business to better identify the potential weak points, such as third parties in the supply chain. Awareness of these risks is a first step in reducing them.

Small businesses are just that – small. Involving everyone in cyber security becomes easier when there are less people involved, so SMEs can maximise on that. Staff prove to be a common ‘way in’ for cyber criminals skilled in the art of manipulation, so training sessions are crucial to make everyone aware of how to stay secure.

Cyber security works best when it is practiced constantly and reviewed regularly. Planning for the worst-case scenario is important, but so is testing contingency systems and circulating advice for all staff in the case of an emergency. Cyber threats evolve constantly too, so keeping up to date with the latest scams and known threats is an easy way to boost protections and remind staff to be vigilant.

None of us are alone in this journey towards cyber resilience; these measures I’ve mentioned are all actions that Nominet takes to protect our business and keep the optimism bias at bay. We have skilled cyber security experts to guide us, but if a small business lacks internal expertise, get some help. There are some great online resources, from the BITC’s ‘Are you Cyber ready?’ and the Government cyber security guide tailored to small businesses, to The UK Domain’s ‘Keeping your business safe online’ guide.