Big risks for small businesses who ignore data security

Password through a magnifying glass Several tech firms encouraged people to change all their online passwords in light of the Heartbleed bug

The recent security scare over the Heartbleed bug should send shivers down the spines of most small businesses.

Technology of Business

There you are thinking all your online customer data is safe, thanks to popular open-source encryption software called OpenSSL, and it turns out to be anything but.

This small vulnerability has potentially compromised two-thirds of all websites.

"The main worry is for small e-commerce sites that do not know they have been affected," says Keith Cottenden, director at cybersecurity specialists CY4OR.

"Any business that takes customer details could be vulnerable because this encryption is designed to protect personal data… Businesses need to apply mitigation now."

But finding effective and affordable ways to keep "mission critical" data safe from hackers, fraudsters and natural disasters can be a daunting and difficult task for small firms.

Busted flush

Poor data security can literally ruin your business.

Bitcoin trader Kolin Burges MtGox's shutdown prompted anger among bitcoin traders

For example, weak security measures and alleged poor infrastructure brought Japanese Bitcoin exchange MtGox to its knees before it eventually went bust.

The exchange, which was handling about 70% of the world's bitcoin trades at its height, said 850,000 of the digital currency coins were stolen by hackers.

The company was forced to file for bankruptcy in February.

But in March, MtGox then said it had found 200,000 "lost" bitcoins - worth about £70m - in an old digital wallet dating from 2011.

When security is your business, such laxity is obviously disastrous.

The UK's Federation of Small Businesses (FSB) believes unchecked cybercrime is severely stunting the growth potential of its members.

Cybersecurity best practice

Firewall lock on main board, with a concept background
  • Implement antivirus, anti-spam, and firewall protections
  • Carry out regular security updates on all software and devices
  • Implement a resilient password policy (minimum eight characters, change regularly)
  • Secure your wireless network
  • Establish a clear security policy for email, internet and mobile devices
  • Train staff in good security practices and consider employee background checks
  • Implement and test back-up plans, information disposal and disaster recovery procedures
  • Carry out regular security risk assessments to identify important information and systems
  • "Stress test" websites regularly
  • Check provider credentials and contracts when using cloud services

Source: Federation of Small Businesses

The risk of fraud and online crime, both real and perceived, is costing each UK small business up to £4,000 per year, the FSB says, while cybercrime as a whole costs the UK economy an estimated £27bn a year.

About a third of FSB members have been victims of online crime over the last year, whether from virus infections, hacking attacks or other system security breaches.

As well as the financial loss and inconvenience, there is the potentially disastrous loss of customer trust.

Crime and complacency

Despite the critical importance of data security, many businesses appear almost oblivious to the risks.

A 2013 survey by security software firm AVG revealed that a large amount of data loss occurs simply due to human error and carelessness.

It seems many businesses are more concerned with tidying their desks or ordering new business cards than backing up data.

A reported 43% of UK and 53% of US small businesses said they spend more time changing passwords than backing up.

And about a quarter of them leave longer than a week between back-ups.

"Too many times an act of carelessness or a security breach has led to information going missing, and in some cases businesses have found themselves in a position where the data is non-recoverable," a Microsoft spokesman told the BBC.

Floods and fires

Natural disasters can pose just as big a risk to small firms as cybercrime.

An estimated 25% of businesses do not reopen following a major disaster, according to the Institute for Business and Home Safety, a not-for-profit organisation.

In 2012, Hurricane Sandy destroyed thousands of small businesses in the US, while many others still felt the effects at least a year after the event.

Hurricane Sandy damage Hurricane Sandy wreaked havoc along the East Coast of the US

Rob Cotton, chief executive of Manchester-based NCC Group, a data security firm, told the BBC that adapting good security practices can be difficult for small businesses.

"SMEs that are using their own IT services in-house need to consider the physical security of the equipment, as well as whether the IT is vulnerable to external threats," he says.

"It's also important to consider the risk from your own staff, since many incidents result from rogue employees - the so-called 'insider threat'."

Cloud all hot air?

Start Quote

Putting business-critical information in the hands of a third party demands a degree of trust”

End Quote Microsoft spokeman

A common piece of advice is to back up data securely and often, but should this be to locally stored servers or to remote cloud services?

"Cloud providers will generally be more proactive in terms of ensuring software is up-to-date and maintaining patch levels," says Mr Cotton.

"They will also have better security knowledge and awareness, meaning servers and services will generally be well configured. On top of this they are more resilient and most will have robust disaster recovery and continuity plans in place."

Another advantage of the cloud is that thieves won't necessarily know which service your business uses or where it keeps its servers.

But Mr Cotton admits there are certainly risks around adopting cloud services.

Cloud computing Using cloud services has several advantages but is no guarantee of keeping your data safe

One obvious one - often overlooked - is that the provider itself suffers a break in service or a breach of its defences, so it makes sense to interrogate the reputation and reliability of any cloud service provider very closely.

"Putting business-critical information in the hands of a third party demands a degree of trust," said a Microsoft spokesman. "Solid providers will explain their security methodologies and commitment to the business."

That said, a "belt-and-braces" local back-up plan may be a good idea.

Spread your eggs

Small firms need to protect their data against viruses, malware and natural disasters, as well as disgruntled or careless employees.

But how defences against these threats are implemented will depend upon the circumstances and nature of each business, experts say.

In finance, keeping all your eggs in one basket is rarely a wise idea, and the same applies to data. So for maximum security, spreading data around both traditional and non-traditional services seems to be the best policy.

Perhaps most importantly, the FSB stresses the need for education.

If your managers and employees don't appreciate the need to protect data, the whole future of your business could be on the line.

More on This Story

The BBC is not responsible for the content of external Internet sites

More Business stories


BBC Business Live


    More analysis on Greene King and C&C's offers for the Spirit pub chain. "The really interesting development, in our view, would be for all three businesses to combine. The result would be a leading pubco and a brewer, cider maker and distributor with a much stronger portfolio of brands," say analysts at City broker Canaccord Genuity this morning. "C&C also own Tennents, the leading Scottish lager. Belhaven (Greene King's Scottish estate) is a leading customer."

    08:51: BANK OF DAVE Radio 5 live

    Dave Fishwick, the minibus salesman who founded the "Bank of Dave" is on Radio 5 live. What does the banking market need? "What we desperately need out there is challenger banks," he says. What's also needed is "tighter control of the bigger banks to prevent greed and corruption," he adds.

    08:36: MARKET REPORT

    The fallout from Tesco's results yesterday continues today. The supermarket is the biggest faller on the FTSE 100 Index so far this morning down 2.3% to 167.05p. European markets are down generally. The FTSE 100 is down 0.45% to 6390.17, Germany's Dax is down 0.40% to 9011.29 and France's Cac-40 has fallen 050% to 4136.95.


    Pearson's chief executive John Fallon says the firm's £50m cost-cutting programme is on track and "momentum in digital, services and emerging market education is building, which will drive a leaner, more cash generative, faster growing business from 2015."


    Could this be the beginning of a bidding war? The pub chain has said it has rejected a takeover proposal from Irish cider maker C&C Group today. Spirit is already in talks with brewer and pub owner Greene King about its proposed £723m takeover offer. C&C, the maker of Magners and Bulmers, has until 20 November to announce a firm takeover offer.


    Pearson has reported flat underlying revenue for nine months to the end of September and a 1% fall in in what it calls headline growth for the period. It blames the strength of sterling against key emerging market currencies for the fall. Penguin Random House has performed well in the third quarter, it adds without giving detail. It says the integration of its businesses is "progressing well and is on track to deliver benefits in 2015 and beyond".

    07:38: HIKMA WARNING

    Hikma Pharmaceuticals says it has received a warning letter US Food and Drug Administration after an inspection at its manufacturing plant in Portugal. "In the letter, the agency raised issues related to investigations and environmental monitoring at the facility," said the firm, which is taking the letter "very seriously."

    07:26: TSB EARNINGS
    The TSB logo

    Impairments - that is, bad loans - fell to £23m from £32.2m, said TSB. Loans rose 7.7% to £22bn compared to a year ago, but fell from a peak of £23bn six months ago. TSB won 9.7% of all new or switched bank accounts, it said, adding £500m of deposits.


    Robin Freestone, chief financial officer of Financial Times and Penguin Random House owner Pearson has announced he is standing down after 10 years with the firm, including eight in his current role. He will probably leave the firm in 2015 after a successor has been found, said the firm.

    07:08: TSB EARNINGS

    TSB third-quarter profit before tax fell 14% to £33.1m compared with the same time a year ago, after operating expenses rose. But revenue swelled 18% to £199m

    06:54: EU PAYMENT Radio 5 live

    Sarah Hewin of Standard Chartered on 5 live says the payment has to be made in the next few months. That could mean more borrowing, she says.

    06:41: EU PAYMENT Radio 5 live
    British Prime Minister David Cameron

    Sarah Hewin of Standard Chartered is explaining why the UK has to pay an extra £1.7bn to the EU on 5 live. "The UK has been doing better since 1997 than we thought and that's resulted in this extra payment. The Netherlands will pay more, while France and Germany get a rebate."

    06:29: AMAZON RESULTS Radio 5 live

    Paul Kavanagh of wealth manager Killik is talking about Amazon's loss-making results last night. "It begs the question about what is happening here with this strategy. The shares fell 11% in after hours [in the US]." Investors may be growing tired of ever-more sales expansion with little profit to show for it, he tells 5 live.

    06:20: CHALLENGER BANKS Radio 5 live

    Paul Kavanagh of wealth manager Killik says it's difficult for banks to persuade customers they offer something new. When a challenger bank succeeds, the larger banks often take the best ideas, he says on 5 live.

    06:12: CHALLENGER BANKS Radio 5 live

    Steve Davies is still on 5 live. He says challenger banks are forcing their larger competitors to think more about the customer and service - think Metro bank opening on Sundays. Competing on rates is more difficult, he says. TSB results coming up later.

    06:03: CHALLENGER BANKS Radio 5 live

    Steve Davies of accountants PwC is on 5 live talking about so-called challenger banks. Can they challenge the largest high street banks? "They have to be able to offer something a little bit different," he says. "The challenge is around innovation," he says. Customer is key, he adds.

    06:00: Howard Mustoe Business reporter

    Good morning. Get in touch via email and twitter @BBCBusiness.

    06:00: Matthew West Business reporter

    Morning folks. It's Friday, we're nearly at the weekend. But before that, TSB kicks off bank earnings season and Shire has financials out as well. There's also some service sector data but the big bit of data is the first estimate of third quarter GDP. We'll bring you it all as it happens as always.



From BBC Capital


  • The smartphone that answers backClick Watch

    Smartphones get smarter – the prototypes that talk and say ouch when you drop them

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.