Chris Harris, EMEA Technical Associate Vice President, Data Security at Thales, gives his top tips on how SMEs can approach their cybersecurity.
Contrary to popular opinion, cybersecurity is not reserved for big corporations alone. Small businesses must recognise that security by obscurity is a myth in an era of automated cyberattacks that target anyone and everyone. Breaches are therefore a very real threat for SMEs, and one with huge consequences for smaller organisations that won’t be able to recover as easily.
SMEs arguably face a higher risk by virtue of often of being a smaller scale organisation. In fact, a staggering 54% of SMEs in the UK faced some form of cyberattack in 2022, with many of which having inadequate defences in place, smaller budgets, less resources and often no designated cybersecurity team or policies to ensure preventative or reactive measures are in place.
Although we are used to seeing big names in the headlines when it comes to cyberattacks, for cybercriminals looking to go under the radar, lesser-known and lower profile SMEs are the perfect target for viable and straightforward cyberattacks – especially as they often don’t see it coming. Some cybercriminals may also use SMEs as a gateway to reach larger enterprises too, if the SME in question is a supplier or subcontractor of the target organisation.
The consequences of a successful breach, including the potentially monumental disruption to business as usual, reputational risks and financial implications – are especially heightened for SMEs too, and are incredibly difficult to recover from. It goes without saying that cybersecurity should be a top priority and on the radar of every SME, but how can they go about ensuring they are sufficiently cybersecure?
Implementing even small changes in cybersecurity practices can make all the difference. By adopting robust measures such as multi-factor authentication and keeping encryption keys separate from the data they protect, small businesses can fortify their defences and thwart potential cyberthreats. Small businesses need to secure business and customer data and can also have access to enterprise-grade security no matter their size.
Taking action isn’t just about protecting the data itself, though – it’s also the paths to that data, many of which are controlled by APIs. A typical organisation might have as many as 1,000 different API endpoints, a significant number of which are poorly documented and tracked. This is making them an effective gateway for threat actors to break in and access the systems and data behind them. From broken access control to vulnerable and outdated components and authentication failures, there’s a wide range of security threats that abuse of business logic components like APIs pose.
With this in mind, here are the steps SMBs can take to strengthen their overall cyber posture and safeguard all paths to their critical data…
- Make it harder for hackers with Multi-Factor Authentication (MFA): MFA should be in place for all your business accounts and systems. MFA means you need to provide more than just a password to log in. This makes it much harder for hackers to break into your accounts, even if they guess your password. MFA adds an extra layer of protection and bolsters your overall security.
- Keep your encryption keys separate: Encryption is a way to make your important data unreadable to those without the necessary decryption key. It’s important to keep that key separate from the encrypted data – otherwise it’s like having a safe with the combination written on the front. If the key gets into the wrong hands, they can unlock the data without permission. It is important to keep your encrypted data and encryption keys in separate locations, and ideally in an HSM, allowing you to keep control of your own keys and by extension your sensitive data.
- Bring in external security expertise: If you lack the skills or resources internally to effectively manage cybersecurity, consider outsourcing these tasks to a trusted provider. While many advanced cybersecurity tools are available on the cloud as subscription-based services, outsourcing to external experts can also provide access to specialized expertise, and round-the-clock monitoring. Not only will this help organisations gain greater visibility of their vulnerabilities and develop a clear view of what to protect in the first place, but it will also relieve your business from the burden of maintaining dedicated cybersecurity expertise.
- Educate your staff on potential threats: Humans are often one of the weakest links in your security defences. Ensure that your team is aware of potential threats, knows how to use and monitor the security software you have in place, and reports anything suspicious as soon as they become aware of it.
- Don’t forget the basics: Maintaining good cyberhygiene is essential to protect against potential threats. Regularly backing up your data and applying software patches are two crucial practices to prioritize. Backing up your data ensures that you have a copy in case of data loss or ransomware attacks, while patching helps to address vulnerabilities and protect against known security issues.
- Protect all data gateways: Given web applications and APIs are accessible to the public via the Internet – making them desirable targets for hackers – sufficient Web Application and API Protection (WAAP) is essential to deter attacks. For example, next-generation firewalls protect against API-focused attacks by constantly and proactively monitoring for attacks deployed on the application, using AI to block suspicious activities. Furthermore, malicious bot protection can isolate and stop suspicious bot attacks, without inhibiting safe bot traffic. The WAAPs must also protect against account takeover attacks, client-side attacks, and software supply chain attacks that also pose risks to SMEs.
While cybersecurity may seem like an overwhelming responsibility, the tangible actions above can completely transform an SME’s cybersecurity and its ability to prevent, cope with and recover from an attack. With increasingly sophisticated attacks emerging each day, a breach is simply a case of ‘when’, not ‘if’, so being one step ahead will pay in dividends
Click below to share this article