Big risks for small businesses who ignore data security

Password through a magnifying glass Several tech firms encouraged people to change all their online passwords in light of the Heartbleed bug

The recent security scare over the Heartbleed bug should send shivers down the spines of most small businesses.

Technology of Business

There you are thinking all your online customer data is safe, thanks to popular open-source encryption software called OpenSSL, and it turns out to be anything but.

This small vulnerability has potentially compromised two-thirds of all websites.

"The main worry is for small e-commerce sites that do not know they have been affected," says Keith Cottenden, director at cybersecurity specialists CY4OR.

"Any business that takes customer details could be vulnerable because this encryption is designed to protect personal data… Businesses need to apply mitigation now."

But finding effective and affordable ways to keep "mission critical" data safe from hackers, fraudsters and natural disasters can be a daunting and difficult task for small firms.

Busted flush

Poor data security can literally ruin your business.

Bitcoin trader Kolin Burges MtGox's shutdown prompted anger among bitcoin traders

For example, weak security measures and alleged poor infrastructure brought Japanese Bitcoin exchange MtGox to its knees before it eventually went bust.

The exchange, which was handling about 70% of the world's bitcoin trades at its height, said 850,000 of the digital currency coins were stolen by hackers.

The company was forced to file for bankruptcy in February.

But in March, MtGox then said it had found 200,000 "lost" bitcoins - worth about £70m - in an old digital wallet dating from 2011.

When security is your business, such laxity is obviously disastrous.

The UK's Federation of Small Businesses (FSB) believes unchecked cybercrime is severely stunting the growth potential of its members.

Cybersecurity best practice

Firewall lock on main board, with a concept background
  • Implement antivirus, anti-spam, and firewall protections
  • Carry out regular security updates on all software and devices
  • Implement a resilient password policy (minimum eight characters, change regularly)
  • Secure your wireless network
  • Establish a clear security policy for email, internet and mobile devices
  • Train staff in good security practices and consider employee background checks
  • Implement and test back-up plans, information disposal and disaster recovery procedures
  • Carry out regular security risk assessments to identify important information and systems
  • "Stress test" websites regularly
  • Check provider credentials and contracts when using cloud services

Source: Federation of Small Businesses

The risk of fraud and online crime, both real and perceived, is costing each UK small business up to £4,000 per year, the FSB says, while cybercrime as a whole costs the UK economy an estimated £27bn a year.

About a third of FSB members have been victims of online crime over the last year, whether from virus infections, hacking attacks or other system security breaches.

As well as the financial loss and inconvenience, there is the potentially disastrous loss of customer trust.

Crime and complacency

Despite the critical importance of data security, many businesses appear almost oblivious to the risks.

A 2013 survey by security software firm AVG revealed that a large amount of data loss occurs simply due to human error and carelessness.

It seems many businesses are more concerned with tidying their desks or ordering new business cards than backing up data.

A reported 43% of UK and 53% of US small businesses said they spend more time changing passwords than backing up.

And about a quarter of them leave longer than a week between back-ups.

"Too many times an act of carelessness or a security breach has led to information going missing, and in some cases businesses have found themselves in a position where the data is non-recoverable," a Microsoft spokesman told the BBC.

Floods and fires

Natural disasters can pose just as big a risk to small firms as cybercrime.

An estimated 25% of businesses do not reopen following a major disaster, according to the Institute for Business and Home Safety, a not-for-profit organisation.

In 2012, Hurricane Sandy destroyed thousands of small businesses in the US, while many others still felt the effects at least a year after the event.

Hurricane Sandy damage Hurricane Sandy wreaked havoc along the East Coast of the US

Rob Cotton, chief executive of Manchester-based NCC Group, a data security firm, told the BBC that adapting good security practices can be difficult for small businesses.

"SMEs that are using their own IT services in-house need to consider the physical security of the equipment, as well as whether the IT is vulnerable to external threats," he says.

"It's also important to consider the risk from your own staff, since many incidents result from rogue employees - the so-called 'insider threat'."

Cloud all hot air?

Start Quote

Putting business-critical information in the hands of a third party demands a degree of trust”

End Quote Microsoft spokeman

A common piece of advice is to back up data securely and often, but should this be to locally stored servers or to remote cloud services?

"Cloud providers will generally be more proactive in terms of ensuring software is up-to-date and maintaining patch levels," says Mr Cotton.

"They will also have better security knowledge and awareness, meaning servers and services will generally be well configured. On top of this they are more resilient and most will have robust disaster recovery and continuity plans in place."

Another advantage of the cloud is that thieves won't necessarily know which service your business uses or where it keeps its servers.

But Mr Cotton admits there are certainly risks around adopting cloud services.

Cloud computing Using cloud services has several advantages but is no guarantee of keeping your data safe

One obvious one - often overlooked - is that the provider itself suffers a break in service or a breach of its defences, so it makes sense to interrogate the reputation and reliability of any cloud service provider very closely.

"Putting business-critical information in the hands of a third party demands a degree of trust," said a Microsoft spokesman. "Solid providers will explain their security methodologies and commitment to the business."

That said, a "belt-and-braces" local back-up plan may be a good idea.

Spread your eggs

Small firms need to protect their data against viruses, malware and natural disasters, as well as disgruntled or careless employees.

But how defences against these threats are implemented will depend upon the circumstances and nature of each business, experts say.

In finance, keeping all your eggs in one basket is rarely a wise idea, and the same applies to data. So for maximum security, spreading data around both traditional and non-traditional services seems to be the best policy.

Perhaps most importantly, the FSB stresses the need for education.

If your managers and employees don't appreciate the need to protect data, the whole future of your business could be on the line.

More on This Story

The BBC is not responsible for the content of external Internet sites

More Business stories


BBC Business Live

    09:58: CITY POWERS BBC Radio 4

    Jim O'Neill, the former Goldman Sachs man who invented the acronym BRICS, to describe the group of emerging markets has turned his attention to the devolution of government powers to the the UK's regions and cities. He tells Today cities should be able to spend much more of the local taxes they collect with a system of centrally available grants to help top up funds. His report also has the backing of the Chancellor. Mr O'Neill says he would be very surprised if at least some of his recommendations are not adopted in the Autumn Statement.

    The Bank of England

    No changes in the vote in October. The Monetary Policy Committee stuck in the same position for the third month in a row voting 7 to 2 to hold interest rates at 0.5%.

    09:18: TESLA SALE

    Mercedes-owner Daimler says it will make $780m (£485m) from selling a 4% stake it owns in electric car maker Tesla. A cooperation agreement to supply Mercedes-Benz cars with Tesla battery technology remains unaffected by the sale, Daimler chief executive Dieter Zetsche said.

    09:01: MARKET UPDATE

    It's a bit of a mixed bag on the markets this morning. The FTSE 100 is down a touch (0.15%) at 6362.69. But Germany's Dax is up 0.50% at 8930.37 and France's Cac-40 is up 0.13% at 4086.47. The biggest faller on the FTSE 100 is BAT down nearly 4% to 3334.5p on those declining cigarette sales volumes.

    Home Retail share graph

    ...and consequently so has its share price. The group is down 4.3% to 168p on the news of those Homebase store closures. Share slumped 6% at the open so have recovered slightly, 40 minutes into the trading day.

    TESCO WOES Via Blog Kamal Ahmed BBC Business editor

    "Tomorrow, Tesco will reveal its latest results. Sales and profits are likely to be down again," BBC Business Editor Kamal Ahmed writes in his latest blog. "Many believe that Tesco should move away from vouchers and one-off price promotions and win back customers with lower prices across all its ranges."

    A Homebase store in Stanford near Lincolnshire.

    Despite talking up the prospects for its full year profits, Home Retail is closing 25% of its 323 Homebase stores over the next four years. That's as it lets leases expire on some properties. Homebase managing director Paul Loft is also stepping down, although he will continue on in his role until a successor is found.


    Homebase and Argos owner Home Retail Group has reported a 5% fall in half-year pre-tax profit to £13.5m. But like-for-like sales were up 2.9% at Argos, and 4.1% at Homebase. Chief executive, John Walden said the group expects to meet City expectations for its full year profit. But he added: "as always, the full-year outcome will depend upon the important Argos Christmas trading period".

    Cigarettes in their package

    Cigarette-pedlar BAT has said revenue for the nine months to the end of September grew by 2.4%. "Industry volume has declined at a lower rate than last year, but is being impacted by large excise-driven price increases," it said.

    SUPERGROUP Via Twitter James Quinn Executive Business Editor, Telegraph

    tweets: "Strong comeback from Sutherland who fell victim to all he tried to achieve at the Co-op Group, and can be credited with rescuing Co-op Bank."

    07:29: SUPERGROUP
    SuperGroup chief executive, Euan Sutherland,

    Former Co-op Group chief executive Euan Sutherland is back having been announced as chief executive of SuperGroup this morning with immediate effect. He was previously CEO of Kingfisher UK, which operates B&Q, Screwfix and TradePoint.

    07:21: GERMAN GROWTH BBC Radio 4

    Germany has very low unemployment, Dr Stephanie Hare, senior analyst for western Europe at Oxford Analytica tells Today. "Making more jobs for Germany isn't the issue here," she says. "We need stimulus and investment in countries that are going to help boost the future of Germany's trading partners in the eurozone. So we can either increase demand in Germany, or Germany could be part of a wider European solution to increase stimulus in its eurozone trading partners." She points out Germany has benefitted from other countries investing and stimulating its economy once or twice in the past century.

    07:11: EUROTUNNEL

    Eurostar results yesterday, Eurotunnel results today. Revenues for the third quarter of 2014 increased 7% to €343.9m (£271.5m).

    06:57: UK BORROWING Radio 5 live

    "The main reason tax receipts aren't as high as you'd like is the increase in personal tax allowance," says Alan Clarke, UK and eurozone economist at Scotiabank on Wake Up to Money. He's talking about yesterday's disappointing figures. There are more people in work, though, which means less spending on benefits, he says. Low-paid jobs mean that doesn't help as much as you may think, points out presenter Mickey Clark.

    06:47: GERMAN GROWTH BBC Radio 4

    Christian Schultz, senior economist at Berenberg Bank, tells the Today programme Germany needs to work on its infrastructure, but even if it started to work on inward investment now the effects would not be felt for several years. This as more political pressure builds on Germany to act to avert another eurozone crisis. But German inward investment doesn't solve the problem, he says. "How does Germany fixing some bridges make French and Italian entrepreneurs invest more?"

    06:34: STORM POWER

    The UK's wind farms generated more power than its nuclear power stations on Tuesday, the National Grid says. The energy network operator said it was caused by a combination of high winds and faults in nuclear plants. Wind made up 14.2% of all generation and nuclear offered 13.2%. As BBC environment analyst Roger Harrabin reports, for a 24-hour period yesterday, spinning blades produced more energy than splitting atoms.

    06:24: CITY POWERS Radio 5 live

    On things like transport and education, local government can make better decisions, says Alexandra Jones, chief executive of the Centre for Cities, which does independent research and policy analysis on UK city economies on 5 live. "Whatever you're doing in a city, you have to balance the books, though, she says. Competitiveness on tax becomes a "race to the bottom" she adds.

    06:13: CITY POWERS Radio 5 live

    "I think there's real momentum... this is the biggest opportunity in decades to transport the relationship with local government," says Mr Wakefield on 5 live. The debate for Scottish independence shows there are a lot of people interested in local powers, he adds.

    06:04: CITY POWERS Radio 5 live

    Allowing UK cities to make their own decisions on tax and spending could boost economic growth by £79bn a year by 2030, a year-long study has concluded. "More people want local powers in Leeds," says Councillor Keith Wakefield, leader of Leeds City Council on Radio 5 live. He thinks councils can target some spending more efficiently.

    06:01: Howard Mustoe Business reporter

    Good morning! Get in touch via email at or on twitter @BBCBusiness

    06:00: Matthew West Business reporter

    Morning all. We have the latest minutes from the Bank of England's September Monetary Policy Committee meeting at 09:30; Argos and Homebase owner Home Retail Group publishes interim results before that and there are trading updates from GlaxoSmithKline, British American Tobacco and Everything Everywhere. We'll bring you it all as it happens.



From BBC Capital


  • St John's, CanadaThe Travel Show Watch

    It’s a ships’ symphony – listen to these freighters in Canada play music with their horns

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.