Historically, IT grew as a responsibility of the finance function, largely because most of the early programmes were focused on providing and processing financial information. While major corporations now see IT as a separate function in its own right with a seat at the Board table, in many SMEs it still reports to the finance director.

Most finance directors are not IT experts. This may be fine for day-to-day operations, where the task is to ensure the systems are appropriate, properly set up and able to adapt as the business develops. The work can be commissioned and periodically reviewed. Cyber security, though, is a very different matter.

Here the threat is ever-present, unpredictable, constantly evolving and does not work to pre-planned timetables. The one thing you cannot do, if IT – and hence cyber security – falls within your remit, is to fit it and forget it. You need to have it on your mind on a very regular basis.

The trouble is, many SMEs simply don’t appreciate that they may genuinely be at risk. According to the February 2018 government publication “Switching the public and small businesses on to cyber security and fraud”,

• 27% of SMEs believe they are “too small” to be of interest to cyber criminals; yet
• 46% of UK businesses – which effectively means 46% of SMEs – identified at least one cyber security breach or attack in the last 12 months; and
• 48% don’t follow advice on updating software and apps.

The most serious risk is to the fundamental integrity of your business. Without adequate planning, a business subject to a cyber attack may not be able to operate. While such failures could be catastrophic, on their own the advent of the General Data Protection Regulations in May 2018 means that even a straightforward data loss could result in heavy fines as well as damaged reputation among customers and suppliers.

So what should you be doing about it?

The government has published a 10 Steps to Cyber Security guide. It is fairly comprehensive, covering everything from the central risk-management regime to home and mobile working.

A more digestible document, though, is the Cyber Security : Small Business Guide published by the National Cyber Security Centre (part of GCHQ). It describes the actions you should take in five essential areas:

1. Backing up your data
2. Protecting your organisation from malware
3. Keeping your smartphones (and tablets) safe
4. Using passwords to protect your data
5. Avoiding phishing attacks.

There’s also a useful action checklist setting out the things you need to do under their policy, technical and training headings.

You can manage this in-house or you can call on specialist consultants to help, but whether you use internal or external expertise, you should begin by asking yourself honestly: am I taking cyber security seriously?

Blog written by Giles Scott