By Joseph Carson, above, Chief Security Scientist & Advisory CISO, Delinea
One of the common misconceptions across industries is that cybercriminals only tend to go for the big fish. However, organisations of any size are susceptible to sophisticated attacks, which are often executed against millions of individuals and businesses every day to solicit valuable assets. In fact, 61% of Small and Medium Enterprises (SMEs) experienced at least one cyber attack last year.
Even if you do not suffer a financial loss in a data breach or ransomware attack, such an incident could still shut down your operations, lead to data corruption or loss, and damage your business’s reputation. The cost of downtime is significant for any business, let alone SMEs who are grinding across the markets to establish a sustainable brand.
The looming recession already has most small businesses on a strict financial leash. Organisations are heading into a challenging winter, as economic headwinds will likely strengthen in the final quarter of 2022. In these circumstances, any potential cyberattack could have crippling consequences for small businesses.
Moreover, SMEs constitute 99.9% of businesses in the UK. Therefore, any threat to such businesses could inevitably disrupt the national economy. It’s high time we engage in more meaningful discussions around the cybersecurity prospects of small and medium businesses.
Why aren’t SMEs thinking proactively?
One of the key issues today is that small business leaders often have a misconception about critical security requirements. For such businesses, cyber security is often an afterthought, or a part of wider initiatives such as securing investments and complying with regulatory requirements like the GDPR.
This is mostly driven by the lack of security knowledge at the leadership level. They mostly perceive security as means to mitigate potential risks, not as a definitive practice to proactively stop threats from occurring in the first place. Leaders tend to be more receptive to security guidance if certain threats are framed as carrying a financial risk, rather than an IT risk. This is predominantly why SMEs tend to have reactionary measures as opposed to a proactive stance on cyber security.
Such implications are also evident from the latest CSBS report, which suggests that SMEs are largely driven by GDPR as opposed to ensuring robust security practices, because they would rather do the bare minimum than go the extra mile. Moreover, less than half of such businesses are aware of cyber essentials.
Government and centralised agencies are also partly to blame for this issue among small businesses, in terms of proactive security. A lack of new and updated regulations meant that such businesses often feel there is no immediate need to prioritise cyber security in the way they had done when GDPR became a law.
However, a change in mindset is being influenced around the industries, as governments are realising the importance of providing proactive guidance. For instance, the Scottish government has recently allocated grants to educate small businesses and public service agencies about cyber essentials – an initiative to make them better prepared for sophisticated attacks. Grants like these are an essential step to encouraging smaller organisations to strengthen security awareness and business resiliency against the ever-increasing cyber threats, where the budget wouldn’t necessarily always be available.
Setting up proactive defences within a limited budget for SMEs
More often than not, smaller businesses are on a tight financial leash – making it difficult to attain the best security solutions. Budget restraints are regular issues that leaders have to deal with, and cybersecurity solutions are often not cheap. However, there are steps that small businesses can take to ensure their security infrastructure is optimised and prepared for sophisticated threats.
One of the first steps for any business should be to protect their privileged accounts. Over 80% of SMEs today have some extent of digital presence. Whether an organisation has five employee accounts or five hundred, all of them are potential access points for threats. Many identities also have privileged access entitlements to systems, resources, and applications to do their jobs. That’s why it is critical to protect any privileged account through Privileged Access Management (PAM) solutions.
PAM solutions can detect anomalies in privileged account behaviour in real-time and eliminate their access privileges until the unusual event has been investigated and resolved. For SMEs that outsource their IT operations to managed service providers (MSPs), they must constantly enquire and monitor how their privileged accounts are being managed.
It also goes without saying that employee awareness training should be prioritised and scheduled on a regular basis. Training staff on identifying scam emails and phishing campaigns, using multi-factor authentication (MFA), and changing passwords with required strength regularly are a quick and easy ways to reduce risk.
Organisations should also know their typical inbound traffic profile, which will help you recognise when your profile changes and enable you to act quickly when under attack. Distributed Denial-of-Service (DDoS) attacks bombard your business’s IP address with huge amounts of traffic, slowing the site down and denying legitimate visitors access.
There is no need to always follow the latest leading-edge technology innovation, but businesses must at least keep up to date with their software upgrades. Constantly staying on top of regular updates can help businesses to avoid software vulnerabilities that might be exploited by threat actors.
Moreover, remote working and bring-your-own-device (BYOD) culture are becoming increasingly common in workplaces. Encrypting remote devices and having a restrictive BYOD policy will limit the risk of security breaches.
Finally, SMEs should make data backup a core part of their work practice, as it’s one of the best value insurance policies you can find. Should you fall victim to a cyber-attack where your information is stolen, deleted, or held ransom, you will know exactly what criminals have accessed and make the most informed recovery strategy.
In conclusion, by using the discussed proactive risk management practices, SMEs and startups can rest assured that their business makes the most of digital opportunity in a secure and responsible way.