You may have thought that the success of a business’s efforts to prevent an attack by cybercriminals would be defined by how much it spends on its technical defences. Surely, ploughing more money into the latest hardware or software will create an impenetrable fortress? Not necessarily. Like so many other business issues, cyber security is primarily a ‘people problem’. It used to be the case that only the largest organisations were worthy of hackers’ attention, whether for a large ransom, or in protest or hacktivism, like you see with the Anonymous group. More recently, though, the prevalence of attacks against even small organisations is rising. Government statistics show that in 2022 39 per cent of small businesses reported a cyber breach or attack. It is simply a numbers game: it is easier for a criminal to crack the weak passwords of 100 small businesses and take £10,000 from each, than it is for them to hack into one major organisation to steal £1m. Until staff at every level of both small and mediumsized businesses (SMEs) and larger organisations understand the risk of an attack and their role in preventing one, a company remains vulnerable. For example, sharing passwords, repeatedly using the same, weak password, or not installing the latest software updates are the digital equivalent of leaving the front door unlocked. No amount of spending on technical solutions can compensate for that. Therefore, it is essential that SME leaders create and maintain an organisational culture where cybersecurity is an absolute priority, and secure behaviours become second nature. THE COST OF INACTION Changing culture can seem a tough challenge at any time. Add it to a to-do list that already includes overcoming sky-rocketing energy costs, labour shortages and supply chain challenges, and it may seem like one task too many. But the financial and reputational impact of postponing could be substantial. An attack could mean temporarily or permanently losing access to files, website disruption, or theft of money or assets. And, if a business is responsible for the loss of customer data, it could be liable for substantial financial damages. Whatever the impact, in the aftermath of a breach, business leaders will have to make the cultural and behavioural changes that were necessary in the first place, so there really is no benefit, and plenty of risk, in putting it off. A POSITIVE CULTURE There are practical steps to get teams on board, regardless of a business’s sector or specialism. In a positive security culture, all employees understand why cybersecurity measures are in place, have the knowledge, skills, and motivation to implement them, and understand what the likely risks are. 52 | It is essential that SME leaders create and maintain an organisational culture where cybersecurity is an absolute priority and secure behaviours become second nature for everyone. ‘‘ ’’
RkJQdWJsaXNoZXIy NTI5NzM=