Possibly the most disturbing feature to emerge from the Federation of Small Businesses' (FSB) new cyber security report is that making computer systems secure can be a complex and time consuming process that a lot of small firms can't manage.
Cyber Security and Fraud: the impact on small business, makes it clear that too many companies are falling foul of online crime, with about three in 10 of its 2,667 survey respondents suffering from attacks over the past year, and the average annual cost coming in a just below £4,000.
Article continues below
But there's an acknowledgement that despite a growing awareness of the threats, small firms are not always taking preventative action if it's a complex process.
It says this is particularly the case in meeting the Payment Cards Industry Data Security Standard (PCI-DSS), which has been criticised for being too expensive or demanding too much time to fulfill. It also says that other security standards such as ISO/IEC 27001 and PAS 555 can be inappropriate for many companies.
There's further evidence in the report's details of the steps companies are taking to fight crime. More than half regularly update their anti-virus software, and over 40% have a firewall and/or spam filtering software - all the straightforward stuff that takes little or no effort.
The percentages decline, however, as the time and costs increase. Only 36% have backup and data recovery routines, 35% regularly install security patches, and the figures fall to below 10% for processes such as compiling an asset inventory, introducing security markings on company property and writing a formal information security plan.
Mike Cherry, National Policy Chairman of the FSB, confirmed to TRPro at the report's launch event that it is a significant issue.
"Inevitably it's a burden in terms of costs and time, and comes back to the limited resources small businesses have when dealing when dealing with any threat," he said. "Hopefully they can make sure that it's proportionate and effective."
There isn't an easy solution, but he said it would help if small firms have a better idea of how others have been affected and are encouraged to share what they know about protecting themselves.
"Where organisations like the FSB have a clear role to play is in helping to make sure that small business owners don't feel so isolated and do get the support of their peers," he said.
The FSB is playing its part; publishing the report is one measure, it's on the National Cyber Crime Reduction Board and is pressing for a more coordinated approach by groups such as the National Fraud Authority and the Department for Business, Innovation and Skills.
But it makes it clear that businesses have to help themselves, and holds up its 10 tips for online security as a necessity.
These are all common sense measures, but some of them – training staff in security practices, regular security testing on the company website, checking the credentials of cloud service providers – take time and possibly money. Hopefully the fact that it has published these will make more small firms ready to do what's needed.