How do small businesses like ours protect themselves from cybercrime?

We have always taken cybersecurity seriously since our company was formed in 2011, a time before the introduction of data protection legislation in 2018. This European-led legislation, through the GDPR (General Data Protection Regulation), was undoubtedly a comprehensive and helpful addition to our awareness of the risks associated with cybercrime.

It certainly seems like cybercrime has become more of a concern for any business, and for one such as ours, which handles what is classified as sensitive health data, there is a need for increased vigilance. Not so long ago, I was embarrassed as the company’s Compliance Manager to almost be fooled by a phishing email. I think they must have used AI to construct it, as poor grammar is usually an indicator of a spam email, but this was written so well and professionally. Experts predict that the rise in the use of AI will exacerbate the issue of cybercrime. I was relaying this recent experience to my father, who then gave me a copy of a recent article on the topic in the Financial Times. I was startled to read that if cybercrime were a legitimate industry, it would be the third largest economy in the world, according to John Fokker, the Head of Threat Intelligence at Trellix, the US cybersecurity giant. He continued, ‘According to industry experts, global cybercrime will cost $10.5bn this year.’

Moreover, Rafal Rohozinski, a global Risk and Intelligence company founder, comments, ‘The internet was never built with security in mind […] we spent 20 years making things work together and only belatedly worried about safety. What has exacerbated this is the absence of any kind of responsibility on the part of vendors—the people who build the technologies and devices that work on the internet—to put in place any safety measures. This means that the system has layer upon layer of vulnerabilities ready for exploitation.’

All of this means that taking cybersecurity seriously as a small business presents challenges. We have completed Cyber Essentials Certification, which renews annually, as a key way to manage the threats that present themselves. All our health data is held in a system governed by the highest level of risk management, the ISO 27001 standard. We also use the support of an accredited and regulated IT company specialising in cyber security certification.

Sources:- Informed by an article in The Financial Times Life and Arts 7th June 2025 by Misha Glenny