The top five cybersecurity mistakes SME businesses are making

By Richard Staynings, below, Chief Security Strategist for Cylera

Cybercrime continues to be a pressing issue, with 32% of UK businesses suffering a cyberattack or breach last winter according to the 2023 Government Cyber Security Breaches survey. Although the report flagged that smaller organisations detected less attacks last year compared to previous years, this was attributed to SMEs putting cybersecurity low down their list of priorities, including monitoring for attacks. A dangerous mistake to make especially as earlier this year Vodafone’s own study found that over half (56%) of SMEs had experienced a cyberattack, up from 39% in 2020.

Taken together, these findings highlight how SMEs are challenged in being able to maintain good cyber hygiene. So, what are the top five cybersecurity mistakes SMEs are making and how can these be resolved?

  1. CEOs and Boards are not taking cybersecurity seriously enough

Only 30% of companies have board members explicitly responsible for cybersecurity as part of their job role. Yet without these dedicated experts providing much needed analysis and insight into the strength of their company’s online defence system, any company remains vulnerable to attack.  Boards must prioritise the health of their cyber posture to ensure that adequate investment is being made to keep the business protected. A top executive with strong cybersecurity knowledge can educate other board members, raise employee awareness, and establish a business case for what is needed for a robust cyber strategy.

  1. Organisations are too slow to patch vulnerabilities

A popular way for hackers to gain entry into your network is through exploiting known flaws in devices and systems. SMEs need to patch devices and systems as soon as an update is released. Software updates frequently include new features, bug fixes, and performance enhancements. They tend to include new security features and security fixes, which are crucial to protecting your infrastructure.

In 2020, three out of four cyberattacks used vulnerabilities that were identified in 2017 or earlier and 18% of attacks utilized flaws that were disclosed as far back as 2013, according to the Check Point Cyber Security Report 2021. These vulnerabilities discovered in 2017 maintained a strong presence throughout 2021, highlighting the importance of patching and updating devices.

  1. SMEs assume it won’t happen to them.

Like any business large or small, SMEs should adopt a risk-based approach to cybersecurity. It’s no longer a question of ‘will’ my systems be attacked, but one of ‘when’ and ‘how often’. Having a cybersecurity strategy in place is crucial to securing your assets and should include:

  • Online security priorities – describing what must be done immediately and what can be done as a long-term project
  • Password and email policies that all employees must follow
  • Remote access policies including the secure transfer of data
  • Procedures in preparation and response to a cyber incident
  1. Few SMEs hold an NCSC Cyber Essentials certification

The Government’s most recent Cyber Security Breaches survey found that just 6% of businesses had completed the government backed Cyber Essentials certification scheme, which is a set of critical technical controls that organisations of any size should have in place to provide basic protection against modern day threats. It’s mandatory for companies working within the public sector, reassuring customers that you’ve taken steps to protect your business from cyberattacks, and gives a clear picture of your company’s degree of cybersecurity.  Furthermore, few businesses realise that those that are certified are eligible for free cyber insurance cover saving up to £25,000.

  1. Lack of investment in training staff to be cyber aware.

People are often your weakest link and the best route in for cybercriminals. Indeed, more than 90% of successful cyber-attacks start with a phishing email. The significant disruption and loss caused by a cyberattack emphasises how crucial it is for all employees to undergo ongoing cybersecurity training so they can help protect the applications, infrastructure and data of the company. Staff members who receive regular training can spot the signs of a cyberattack, know when one is happening, and know how to minimise any risks. Staff awareness training has one of the highest returns on investment of any cybersecurity measures that companies can put in place.

Training should include:

  • Basic cyber hygiene tips – including, enabling multi-factor authentication, using secure passwords that are changed frequently, and avoiding clicking on unidentified links.
  • Awareness – training employees on how to spot a device that isn’t functioning as it should and how to know when to submit it to IT services for examination. This should also involve making sure that staff members are knowledgeable on the dangers such as what a ransomware attack is, what its effects are, how it starts, and how to respond to unexpected emails and avoid phishing emails.
  • Clean up – IT systems and other online-connected devices must be appropriately monitored and maintained in terms of IT hygiene.
  • Incident response plan – In the event of a cyberattack, there should be an action plan in place. Businesses run the risk of losing access to devices, sensitive data, and brand reputation without a comprehensive cybersecurity incident plan and software backup solution. Each employee should understand their position and responsibility within this plan.
  • Crisis Simulation Training – Once your incident response strategy is in place, it is advised to test it using a crisis simulator. Crisis simulators are training exercises where fictitious crisis situations are performed, such as a ransomware attack, to gauge an employee’s ability to strictly follow their incident response plan and successfully handle a crisis.

Cybersecurity is essential for SMEs to protect against potential risks and threats. In today’s digital environment, protecting your company from cyber threats not only helps you avoid significant financial losses and reputational damage, but it can also provide your business with a competitive edge.

Richard Staynings is an internationally renowned expert in the field of healthcare cybersecurity, serves as Chief Security Strategist for Cylera, a pioneer in the space of medical device security and is an Adjunct Professor of cybersecurity and health informatics at the University of Denver. Richard has served on various government committees of Inquiry into some of the largest healthcare breaches and is a regular presenter at healthcare and security conferences across the world.