Small businesses are the lifeblood of the global economy. They provide all manner of essential services – to individuals, to government, to larger organizations and to each other. For small businesses, when it comes to cybercrime the risks are great. The statistics show that 58% of cybercrime targets small businesses, with the global cost of cybercrime standing at $600 billion in 2018.

These figures may appear surprising, largely due to the fact that most media coverage of cyberattacks focuses on large businesses, which impact high numbers of customers. What many people don’t know, however, is that small businesses are often the easy way into larger enterprises. Attackers will, for example, gain access to the credentials of a small business in the supply chain of a large enterprise as a pathway into the larger company, and the breach will often go unnoticed until after the attack has been carried out.

Whether it is the primary target of an attack or a route into a larger organization, a small business can be crippled by a cyberattack. In the UK, it is estimated that the average direct cost of a breach for a small business is £25,700, while indirect costs, such as reputational damage, could be significantly greater. Recovery from an attack is difficult at best; at worst, it could mean shutting up shop. Ignoring cyber risk is not an option. Prevention is by far the best course of action.

But where to start? There is a huge amount of advice available about what to do, but it is often confusing and sometimes contradictory. The vast majority of small businesses lack the technical knowledge needed to prevent cyberattacks and do not have the financial resources to invest in enterprise-level security. Small business owners may wonder, “Why would anyone want to attack me?” or they may prefer to focus on generating revenue. But the truth is, not only do small businesses hold valuable information themselves but they can also act as a stepping stone into larger organizations that the hackers may ultimately be targeting.

Using the right tools

The GCA Cybersecurity Toolkit for Small Business enables smaller firms to navigate the confusing array of advice free of charge, to help them shore up their cyber defences and reduce their cyber risk.

The toolkit incorporates guidance from some of the world’s leading cybersecurity organizations, including the Center for Internet Security (CIS) Controls, the UK’s National Cyber Security Centre Cyber Essentials, and the Australian Cyber Security Centre’s Mitigation Strategies, in particular on how to:

• conduct inventories of devices and applications to ensure small business owners can more readily act to protect them;

• ensure that security settings of devices are effectively updated in order to identify any issues automatically;

• ensure that accounts are protected by strong passwords and two-factor authentication;

• access a range of tools that can be used to prevent common attacks and ensure devices are backed up in the event an attack does occur;

• protect company brand and ensure emails and websites are not being used fraudulently or for malicious purposes; and

• implement policies and recommendations for training employees to understand how to identify and avoid phishing emails.

Image: Wombat Security, 2018 State of the Phish Report

For example, there are specific toolkits on the following:

Prevent Phishing and Viruses – where tools included seek to help prevent these types of attacks, such as domain name system (DNS) security tools, which help prevent you getting to infected websites, and anti-virus software to help prevent viruses and other malicious software getting into your systems;

Defend Against Ransomware – tools are provided to assist businesses in setting backups for systems and data to ensure smooth recovery from attacks;

Protect Your Brand – this toolbox provides some easy-to-use tools that help protect company email domains from being used to carry out cyberattacks, as well as trademark monitoring tools to give visibility to how your brand might be being misused.

If implemented in full, the measures in the toolkit could have a significant impact on reducing cybercrime. The CIS Controls, for example, can provide effective defence against the most common cyberattacks (comprising some 85% of attacks). Providing small businesses with tools to protect themselves from ever-evolving cyber risks not only strengthens their individual businesses but also supports the health of the entire commercial ecosystem, including governments and larger companies.

The World Economic Forum and the Global Cyber Alliance will continue to work closely together on this initiative and others that can help fight cybercrime on a global scale.

Click here for more information about the toolkit.