How important is cybersecurity when trying to grow a business?

One of the biggest challenges facing SMEs is growth. However, in an increasingly digital world, more and more SMEs are finding themselves under cyber threat. So, just how important is cybersecurity when trying to grow a business? Business Leader investigates.

How often are SMEs targeted by cyber attacks?

Cyber attacks are unlikely to be of concern to businesses who operate exclusively via non-digital means, but with global spending on digital transformation being expected to reach $1.8 trillion by the end of 2022, there are many businesses who will need to be wary of cyber risks. But just how wary should they be?

James McDowell, COO of BlueVoyant UK, provides an overview of how regularly SMEs and scaling businesses are targeted by cyber attacks.

He comments: “It has been widely reported that cyber attacks against SMEs have grown exponentially. According to the Hiscox Cyber Readiness Report 2022, businesses with annual revenues between $100,000 (£79,468) and $500,000 (£397,340) can now expect as many cyber attacks as those earning between $1m (£794k) and $9m (£7.1m).”

So, why are cyber criminals taking aim at smaller companies too?

“The reasons for this are largely unsurprising,” says James. “Small and scaling businesses are challenged on where they need to focus both time and investment. With revenue generation and increasing market awareness understandably the priority, other agenda items such as cybersecurity tend to be pushed further down the agenda.

“However, for this very reason, threat actors view SMEs as an easier target because they may not have the necessary IT infrastructure or internal knowledge, resources and capabilities to manage a robust cyber hygiene programme.

“Furthermore, as larger corporations invest more time and energy into defending their own digital assets, hackers will target smaller, less security conscious, businesses within the supply chain. Instead of trying to breach larger organisations directly, hackers will use smaller businesses as a steppingstone into larger companies, which would take more time-resource. This is one of the reasons that supply chain cyber risk will most likely appear in the top five priorities for enterprise-level CISOs this year.”

According to Statista, the average cost for a cyber security breach in the UK in 2021 was £2,670 across all businesses, although this figure increased as businesses became larger. Whether this figure feels particularly costly will depend on what revenues your business is generating.

However, a recent survey by Infoblox found that the majority of UK businesses experience up to five cyber security incidents a year. A recent government survey also found that a third of businesses suffer weekly cyber attacks, so it’s important to bear in mind that the risk of being hit by frequent attacks means costs could quickly add up.

Should business growth be sacrificed for cyber protection?

With SMEs being increasingly targeted by cyber criminals, growing businesses who do not invest at least some time and expense into a cyber protection policy are playing a risky game. Of course, with the limited resources on offer to SMEs, many will be wondering if cyber protection should take precedence over growth and if so, to what extent.

However, John Brannon, Infrastructure and InfoSec Director at Huboo, says that companies don’t need to break the bank in order to give their business a solid foothold when it comes to cyber protection.

He comments: “The business focus for SMEs tends to be revenue generation and growth, with cyber security investment overlooked. However, you can create a firm foundation in cyber security for your business to grow with a small investment, reducing time and resource requirements further down the line.

“I often get asked how much a company should invest in cyber security; this varies as it depends on its product. If you operate a software-as-a-service (SaaS) product, your investment should be much higher; however, you will have little need for a security operations centre if you are offering physical products.

“Regardless of your company’s size, the most important and inexpensive protection you can put in place is knowledge. Spending time to train your staff on a basic cyber awardees program will massively reduce the risk to your organisation.”

A recent survey by Superscript found that complacent employee attitudes towards cybersecurity are putting UK businesses at risk, further highlighting the value of training your staff.

McDowell also agrees that a good level of cyber protection is relatively affordable.

He comments: “One reason that smaller businesses need to be more focused on cybersecurity than larger organisations is one of resilience. Given the average cost of breach can run into the hundreds of thousands, the impact on a small business is likely to be far greater than that of a larger corporation, and in some cases can be terminal.

“The good news is that implementing basic cybersecurity hygiene programmes, that provide a good level of coverage and assurance, does not necessarily equate to a large investment in either time or money. In the early stages of any business adopting a cybersecurity framework, such as Cyber Essentials, the necessary level of basic cybersecurity protection can be provided for businesses of any size and can be easily implemented and managed.

“It is much easier to build basic cybersecurity programmes when starting a new business than it is to apply these measures retrospectively. Considering how cybersecurity considerations can be overlayed into standard business processes as they are being developed is a much more effective approach than trying to untangle and rebuild workflows that don’t meet basic cybersecurity guidelines and principles.

“How smaller businesses approach cybersecurity programmes, and internal messaging around the implementation of these, is also crucial. Cybersecurity is too often presented as a necessarily reactive evil to protect organisations from suffering a data breach or attack, instead of being approached proactively as a business enabler and growth tool.”

What should businesses prioritise when looking to scale?

With cyber protection for businesses appearing to be available on an affordable basis, companies can start to explore other avenues to help them scale. So, where should scaling businesses start?

“Sales and marketing are often essential scaling vectors for a company, and this is accelerated by training your staff in sales and marketing techniques and in your own product and service,” says Brannon.

“Having sound training systems in place will allow your company to introduce new ways of working with little to no resistance, as training and knowledge assimilation will be at the core of your business’s culture.”

However, McDowell believes in the value of cybersecurity for business growth.

He comments: “Rather than implementing cybersecurity controls ‘because you should’, businesses should be exploring ways in which cybersecurity can add value to their growth and operations.

“Today, customers have a baseline expectation of what cybersecurity should look like in their vendor network and so being able to demonstrate this (through a cybersecurity plan and mission statement or certifications) can support business development and, in some cases, be a pre-requisite to contracting.

“One final point to consider, clearly many new and scaling businesses will be working towards an exit route of some kind or another. In our work with private equity firms, we are being increasingly engaged to provide cybersecurity due diligence audits on target acquisitions. In some cases, where a private equity firm is unable to see evidence of good cyber practices, this can impact the sale value or indeed the deal in its entirety.”