It was obviously tempting to go with Jeremy Hunt’s Autumn Statement this week. I’m writing this on Wednesday: in the morning papers it was being billed as ‘the biggest Budget since Cameron and Osborne’s first outing.’
I suspect, though, that by the time you turn to my blog the simple message ‘we’re all going to pay more tax’ will have sunk in. The Corporation Tax rise will have been confirmed, as will the freezing of several thresholds. Welcome to the world of ‘fiscal drag,’ ladies and gentlemen…
So I’m going to turn to something that – over the next five years – will be even more important than Jeremy Hunt’s speech: something that has the potential to impact every single SME in the UK. And not for the better…
I’ve written about Cybercrime before. It’s a subject I make no apology for returning to – and the simply staggering fact that if Cybercrime were a country it would be the 3rd largest economy in the world, behind only the US and China.
According to one estimate Cybercrime was estimated to have cost companies and organisations $6tn last year. Six trillion dollars.
…And neither is it going to stop there: growth is estimated at 15% a year, meaning that Cybercrime will reach $10.5tn by 2025 – an amount greater than the damage inflicted by natural disasters, and estimated to be bigger than all major illegal drugs combined.
Clearly some of the figures and estimates may not be strictly accurate. After all, we’re not talking about organisations that submit their accounts to HMRC or the IRS. What is undeniable – both analytically and anecdotally – is that the problem is huge. I spoke to a good friend of mine in the banking sector. His reply was stark: “There’s an unbelievable amount of fraud going on, Ed – and most of it simply isn’t being talked about.”
Neither was he discussing big business and Government departments. With the amounts involved Cybercrime can clearly attract some very clever people – and it appears that those clever people are targeting our businesses.
A recent article on the BBC website highlighted this unwelcome development: ‘Cyber-attacks on small firms – the US economy’s Achilles heel?’
Yes, it was talking about fraud in the US but does anyone believe the situation is different to SMEs in the UK? (If you do, I’ve $30m that I need to hide. Just send me your bank details…)
One of the most alarming stats in the article was this: ‘it typically takes 200 days from the moment of hacking until discovery. In many cases, customer complaints are what alert companies to a problem.’
Two hundred days: the damage that can be done in that time – not just to your business but to companies and organisations you deal with – doesn’t bear thinking about. Except we have to think about it, because we’ve spent the best part of our working lives building our businesses.
So what about the UK? According to the BBC article, SMEs are three times more likely to be the target of a cyber-attack than big businesses. That must apply equally to the UK.
According to the FSB there were 5.5m small businesses (with 0 to 49 employees) at the start of 2021. SMEs account for 99.9% of the UK business ‘population,’ employing 16.3m people (roughly 60% of the total) with turnover of £2.3tn, equivalent to 52% of private sector turnover. If small businesses are the lifeblood of the US economy, that’s even more true in the UK.
But that turnover of £2.3tn is less than half the turnover of Cybercrime. And with the economy contracting by 0.2% in the third quarter – and higher taxes on the way – the turnover of the UK’s SMEs is not going to increase by 15% a year for the next five years. Simply put, Cybercrime has a lot more resources than the UK’s SMEs – meaning that the problem is only going to increase.
Can you take out insurance against Cybercrime? Yes, of course you can. But, according to this article, it doesn’t cover potential future lost profits: it doesn’t cover the damage done to your company by losing intellectual property. It doesn’t cover upgrading your systems after an attack – and it most certainly doesn’t cover the sleepless nights, or the pain of regret.
If ever there was an instance where prevention is better than cure, this is it. We all know what we should be doing to protect our businesses against attacks: let’s make 2023 the year when it is at the top of all our to-do lists.
Let me finish this week with one piece of advice. Something I have stressed many times before. The nickname of your football team followed by their league position is NOT an adequate password! It never will be! It is one of the most CARELESS things you can do!
(Memo to self: change all passwords on Jan 31st. Replace Magpies3 with Magpies1…)
