Could failure to respond to the WannaCry attack spell wider trouble for SMEs?

E-mail us

Your login

Use the link below to access your online portal.


GRENKE partner portal

GRENKE customer portal

We're here for you.

Would you like to know more about our services? 

Call us on: +44 (0) 1483 4017 00

How should SMEs respond to the WannaCry attack?

Last month's WannaCry ransomware cyber-attack was a vivid and shocking reminder of the vulnerability of the IT systems that organisations rely on each day.

Indeed, more than 300,000 computers in 150 countries were affected, with the NHS in particular heavily disrupted by the attack.

Yet despite the scale of the attack and the resulting publicity, it seems many small and medium-sized enterprises (SMEs) aren't doing enough to safeguard their tech infrastructure.

According to a report by accountancy group Smith & Williamson, 45 per cent of SMEs do not have a cyber-security plan in place for their business.

While this clearly means their IT infrastructure is particularly vulnerable to attack, the report warns that the consequences could actually be much more far-reaching.

For instance, Smith & Williamson argued that the extent to which a business has thought about its cyber-security can influence its attractiveness to outside investors.

Fergus Caheny, partner and head of technology at Smith & Williamson, commented: "It shows that they take these things seriously and is a reflection of the culture and values the company has.

"A well thought-out and developed cyber-security plan tends to translate to a business that can identify and react appropriately to the many factors affecting their business."

Smith & Williamson stated that control of their tech estate is vital for any well-managed company and offers a good way for an investor to "ascertain the true nature of the management and the culture within".

Of course, the organisation has acknowledged that early-stage businesses cannot be expected to spend large sums of money on high-tech software and developing a plan.

However, it said owners and managers at SMEs should still be able to demonstrate they have thought about cyber-security and have a plan in case the worst-case scenario comes to pass.

Furthermore, Smith & Williamson said it is reasonable to assume that as a business scales and grows, investment in cyber-security measures grows as well.

GDPR on the way

Another reason why businesses need to stay on top of cyber-security is the incoming General Data Protection Regulation (GDPR).

Set to be implemented in May next year, the GDPR will supercede the existing Data Protection Act and will apply to all businesses that hold personal data across the European Union (EU).

The new rules have been designed to reflect changes in technology over the last 20 years, such as the emergence of social media, and give individuals more control over how their details are used.

Failing to comply with the GDPR could see organisations facing significant fines, while any data breach must be reported to the appropriate authority within 72 hours of a firm becoming aware of it.

Of course, the UK is set to leave the EU, but for now, it remains a member state and therefore subject to European legislation. Additionally, there's every chance that the requirements of the GDPR will stay on the UK's statute books post-Brexit, so businesses need to be ready for this change in the law.

As Fergus Caheny of Smith & Williamson points out, this means that the issue of cyber-security is "not going away".

"A company who does not have a full handle on their tech estate now is in a race against time to ensure they do before next May," he commented.

"Investors need to be confident that a business is prepared. Otherwise, this could jeopardise existing and future investment."

Parliament targeted by cyber-attackers

Last week saw parliament fall victim to a cyber-attack, which compromised up to 90 email accounts.

Officials responded to the attack by disabling remote access to the emails of MPs, peers and their staff, while a parliamentary spokesperson said the incident was a result of "weak passwords" which did not adhere to guidance from the Parliamentary Digital Service.

It's ironic that with such a big change in the law on data protection on the horizon that the country's lawmakers themselves get targeted by a cyber-attack.

However, parliament's response demonstrated that it had a strategy in place to deal with such an event.

Nevertheless, the admission that some passwords did not adhere to the recommended guidelines will be a cause for concern for officials at Westminster.

It's a reminder to organisations of all sizes that simply having a policy in place regarding cyber-security isn't always enough.

These measures need to be robustly followed and enforced by every member of staff if they are to prove genuinely effective.

Oz Alashe, chief executive officer of cyber security platform CybSafe, responded to the cyber-attack on parliament by pointing out that three-quarters of known breaches take place "because of people rather than technology".
Speaking to the Independent, he said: "It doesn’t really matter how good systems are if we as people are making it easy for hackers. 

"One of the most important things is for organisations to educate people on how they can be safe online.

"I don’t think the threat is getting worse, but attacks are happening more frequently, but that’s partly because so many people are much more connected digitally - there are so many more opportunities for people to be hacked."

If even the UK's main legislature isn't safe from a cyber-attack, then modest SMEs are especially vulnerable unless they take the right precautions, investing in the right technology and ensuring their staff are equipped with the knowledge and skills to fend off potential threats.