In recent years, businesses of all sizes have accelerated digitization, adopting tools for accounting, sales, and data collection. This digital push has exposed SMEs to increased cybersecurity vulnerabilities. Experts suggest SMEs may be more vulnerable than larger companies due to lacking internal knowledge and resources, complacency, and susceptibility to urgent requests. With remote work on the rise, cybercriminals exploit vulnerabilities in home Wi-Fi networks and personal devices.
In the face of economic challenges and rising cybercrime, how can SMEs cost-effectively protect themselves, enhance cyber resilience, and ensure staff contribute to keeping customer data secure?
Rising threat for SMEs
Small organizations have limited resources for cybersecurity, despite their growing reliance on new technology. A critical factor has been the pandemic, which led to increased use of personal devices for work and digital payment methods, exposing these businesses to various online vulnerabilities. The threat landscape continues to evolve.
SMEs increasingly recognize the immediate threat of cyberattacks, supported by high-risk indicators in surveys. However, due to challenging economic conditions, cybersecurity may fall down their priority list, which is understandable but risky. Still, investing in cybersecurity is crucial.
Phishing
Phishing is an online scam where criminals send you emails, and pretend to be from a legitimate source, but really with intent of obtaining sensitive information from you. They'll try to get password information to get your data, or they will try and get your credit card information to your bank details, to then get your cash.
There has always been an upward trend, not only in the number of incidents reported, but also in the cybersecurity controls that organisations are implementing in response. But for the first time, we're seeing that the number of SMEs implementing basic cyber controls has gone down. In the context of the threat, this is really concerning.
“We need to think about a different way of engaging with the small business community around cyber, we need to understand what support they need. But we also need to understand where we need to take that burden away. What we can do to make this less of a burden for small businesses that are struggling with difficult decisions around investment.”
- Emma Green, Deputy Director of Cyber Resilience at Dept. for Science, Innovation and Technology (DSIT).
Impact of an attack on SMEs
The primary impact SMEs will feel is disruption to business continuity. This might be that their online services are down, they can't engage with their customers, or that their payment portal prevents them from collecting income. Both short-term and long-term impacts of cyber-attacks are worth researching, to better understand what your business can handle.
Cyber resilience
Resilience isn't just about hardening your defences; it's likely that all organisations are going to be hit at some point. So, it's about both raising the bar for the attacker, but also ensuring that you have the right processes in place to minimise the impact when an attack does occur and recover quickly. Resilience is about preparing for the worst and having a clear to-do list.
Common mistakes
“As organisations grow organically, staff and contractors may come and go and be given access to systems, and not necessarily be removed from them. Making sure that you keep that understanding live and up to date is important.”
- Emma Green, Deputy Director of Cyber Resilience at Dept. for Science, Innovation and Technology (DSIT).
Making assumptions. Supply chain security is a critical focus due to numerous vulnerabilities. Small business owners should not assume that cybersecurity controls are automatically included in contracts with suppliers. In a competitive market, costs may be prioritized over security unless explicitly specified. Not being informed. When outsourcing IT services, it's crucial to be an informed buyer and inquire about security measures, incident response plans, and collaboration in case of an incident. Clarify your critical assets, understand where risks lie, and maintain an updated understanding of your risk posture.
Not knowing your weaknesses. Spend time understanding what your risks are, and particularly risks to critical business assets. Many SMEs mistake cyber-attacks as just an IT risk, when it's very much a business risk.
Being complacent. Remember that cyber-security isn't a one-off discussion. It’s a continuous arms-race, and it needs to be an ongoing topic. Always keep up to date with the latest software.
Thinking it won’t happen to you. Expect an incident to happen and plan for it. It's a matter of when not if.
Not making backups. Backup your data and have accessible versions disconnected from your network, so that it’s protected from ransomware threats.
Ignoring the power of training. Invest in your people, not just your technology.
“One of the areas SMEs should look at as part of their risk assessment, is understanding what their information assets are, as a starting point. Understand what they are, where they are, how they're secured. And what are the threats to them from internal and external sources, and then determine what the response should be in terms of an investment on the market.”
- Paul Kelly, Head of Cyber Services at Azets.
Reporting
Reporting is important to get a picture of where and how cyber-attacks are taking place. Look for guides that provide a strategic approach to managing cyber risks. SMEs often struggle with the technical aspect of cybersecurity, but many risks involve people and processes. Reporting helps us stay in the arms-race against the attackers, by keeping us informed.
“I think it's important that staff aren't considered the weakest link, when they're often your first line of defence. Make sure that they're your strongest link by teaching them what a phishing attack looks like, and that they know how to report a phishing email if they see one.”
- Emma Green, Deputy Director of Cyber Resilience at Dept. for Science, Innovation and Technology (DSIT).
Make everybody feel accountable and responsible for cybersecurity as an organisation rather than thinking about it as something that sits with one individual or with your IT provider. If you have staff who are engaged and motivated to report it, then you're in a much better place to respond.
“It's important to embrace a positive culture towards cybersecurity. Some of the weaknesses we see is that there's a negative culture towards even sharing information. We must encourage, share what good looks like, and take a positive tone.”
- Paul Kelly, Head of Cyber Services at Azets.
If the worst happens
Identify your business-critical operations as a priority. Your plan should focus on quickly restoring these systems after a cyber-attack to minimize financial impact. First, concentrate on getting essential functions back up and running. Understanding your critical assets and functions from the start is crucial. This ensures that during an incident, you know immediately what to prioritize for reinstatement. Having this clarity before an incident helps alleviate stress in the aftermath, allowing you to address the most critical aspects without hesitation.
Insurance options
While insurance policies are available, they are becoming challenging to obtain due to high excesses and substantial price increases. Getting insurance has become more difficult as organizations must demonstrate good cyber hygiene measures. Instead, we recommend focusing on resilience, as it is often more cost-effective than pursuing insurance.
“We have seen cases where businesses have taken months to recover, which can be really damaging to the sustainability of your business. Increasingly, customers who work with you are interested in understanding your security and making sure you're a secure business. If you can’t demonstrate that, you may lose out on business opportunities.”
- Paul Kelly, Head of Cyber Services at Azets.
View cybersecurity as an investment, not just a cost, acknowledging that cyber-attacks are a matter of "when" not "if." Beyond risk reduction, investing in cyber resilience has business benefits, garnering trust from customers, employees, and the supply chain. Identify critical assets and plan actions for a swift recovery. Prioritize staff training and utilize free resources. Cybersecurity is an ongoing effort, evolving with business growth and changing threats. Involve the entire organization to foster a culture of cybersecurity.