A guide to SME security – because strong cyberhygiene is not just a large enterprise issue 

A guide to SME security – because strong cyberhygiene is not just a large enterprise issue 

Lawrence Perret-Hall, Director, CYFOR Secure, speaks to Intelligent SME.tech about why SMEs are especially prone to cyberattacks and how they can prevent them with strong cyberprotetction.  

Small businesses face plenty of challenges day-to-day: building a brand, hiring talent and stretching limited resources. Therefore, developing and implementing a strong cybersecurity strategy, up until recently, has never featured too highly on their business priorities. In fact, cybersecurity is still not a priority for many smaller companies. Yet as we’re seeing more cyberattacks targeting organisations of all sizes, strong cyberhygiene has never been so critical.  

All too often, we hear business leaders and entrepreneurs working in small enterprises claim that they won’t be targets for threat actors and cybercriminal gangs, simply because there is no value in hacking their corporate networks. But just because your business doesn’t hold a large volume of sensitive data or work within a technology-focused industry, it doesn’t mean you won’t be their next victim. Some of the largest, most influential attacks in history have compromised smaller companies and used them as back-door entrances to breach larger partner organisations.  

Unfortunately, there’s no silver bullet to cyberprotection for SMEs. However, there certainly are several solutions – including working with a security partner for backup strategies, cybersecurity awareness training and incident response plans – that will make cybersecurity much simpler for businesses that do not necessarily have the resource to get it right on their own. 

Today’s threat surface  

Supply chains are a big target for cybercriminals. Take SolarWinds as an example, where hackers gained access to more than 30,000 organisations by hacking into the system that managed their IT resources. For small organisations that provide services to UK government bodies or large commercial brands, they will be at serious risk of being attacked. According to a study conducted at the end of last year, 84% of organisations believe that software supply chain attacks could become one of the biggest cyber threats within the next three years. Even more worryingly, of those that have suffered their first software supply chain attack, 54% did not have a response strategy in place.  

The rising risk to supply chains is compounded by the increasing maturity of hackers, and the growing complexity of their tactics, techniques and procedures (TTPs). Social engineering campaigns and highly personalised phishing – known as ‘spear phishing’ – attacks have become so sophisticated that it can be hard to notice a scam. What’s more, cybercriminals often identify the best times to catch their victims unaware. This could be on a national holiday – like in the case of the attack on SHI recently, that hit the US company over the Fourth of July weekend – or later in the evening, when employees may be checking emails on their phones and lack the vigilance they have in the office.  

One area we’re seeing this issue most significantly is within the housing industry. With Friday as the most popular day to complete a house purchase, these days are a favourite for cybercriminals too. Large sums of money are being transferred all day between solicitors and their clients, meaning carefully crafted phishing emails targeted at the right individuals (eager to finalise their housing exchange) – which is an unfortunate example of criminals hitting victims at the perfect time. Threat actors choose these times as they want to reap the quickest and easiest reward and cause the most disruption but as defenders, we need to be ready to react at any moment. 

Cyberinsurance for SMEs 

While the threat of cyberattacks is very real for small enterprises, according to a recent study, almost 30% of SMEs cancelled their cyberinsurance policies in 2021 in order to save money. Rising by 92% in the UK in the final quarter of last year and continuing to skyrocket through 2022, premiums are fast becoming unaffordable for small and medium-sized businesses. Worryingly, this trend is showing no signs of stopping, with research from Panaseer earlier this year identifying that 82% of cyberinsurers across the UK and US are expecting the rise in premiums to continue. 

To overcome this issue, cyberinsurers are calling for more direct access to customer security metrics and measures proving the status of security controls. Yet these metrics and measures will only support businesses if they are being proactive with their cybersecurity. This includes ensuring threat detection and response services – like a managed SIEM – and end-point protection solutions are in place and optimised.  

Insurers also recognise the importance of prioritising education and implementing regular security awareness training to ensure employees understand that they are just as much of a risk as an unpatched vulnerability. For smaller businesses with fewer resources, this is one area of cyber that shouldn’t create a significant drain on budgets. Instead, it is more about changing culture, perceptions and understanding of cybersecurity. Measures such as consistent staff training and phishing simulations can be implemented, monitored and evidenced easily – helping to promote a company-wide ‘security-first’ mindset – while information around the latest security risks and scams should be shared regularly across the team.  

When a breach occurs 

So, what about when SMEs fall victim to an attack? In cybersecurity it is no longer a case of ‘if’, but ‘when’ – meaning preparing for the inevitable is key. For organisations both big and small, Business Continuity plans and Incident Response (IR) playbooks will play a huge role in supporting remediation and allowing businesses to get back on their feet, serving customers again as quickly as possible. Without these in place, it can take up to four weeks to get back up and running, which isn’t viable for a customer-facing business. 

Part of this remediation planning must also include maintaining a suite of backups – both small and frequent, on a daily basis, as well as full backups stored on a separate encrypted network. This will ensure that recovery time in the event of an attack is kept to a minimum.  

Ultimately, a strong cybersecurity strategy is a big ask for internal IT teams of small businesses that are often already overstretched. Therefore, for support in monitoring for threats, boosting employee awareness and recovering from an attack, outsourcing to a security partner is the best bet for SMEs. With cyberinsurance premiums so high and showing no sign of decreasing, relying on a partner can reassure insurers that your security is in safe hands, thus reducing premium costs and better preparing your organisation for the worst.   

Browse our latest issue

Intelligent SME.tech

View Magazine Archive