Just to remind you, the full list of the seven categories of challenges listed in the ENISA report and faced by SMEs, are:
- Low cybersecurity awareness of the personnel.
- Inadequate protection of critical and sensitive information.
- Lack of budget.
- Lack of ICT cybersecurity specialists.
- Lack of suitable cybersecurity guidelines specific to SMEs.
- Shadow IT, i.e. shift of work in ICT environment out of SME’s control.
- Low management support.
So what do we mean by shadow IT? Well, this is very much related to the shift in working patterns that have emerged during the pandemic, particularly working from home. Many employers have seen a distinct advantage in the reduction of costs that this brings with it and whilst some remain unconvinced, many are already starting to adopt a hybrid approach with a mix of home and office based working.
Doing this quickly out of necessity produced several issues. Many SMEs simply did not have the budget to start buying laptops and/or tablets for remote working and didn’t want their desktop PCs taken to employees homes. As a result they were left with no choice but to allow their staff to use their personal devices to work remotely.
What was known in the corporate world as BYOD (bring your own device), was somewhat hurriedly introduced into many companies during the pandemic, without much thought being given to policies and processes required to keep company data safe. In the larger companies where this has been allowed for some time, there are very strict rules surrounding it, requiring these personal devices to have the same or similar levels of protection as equipment owned by the company.
Of course, in addition to staff using their own personal devices for business purposes they are also accessing the internet, and therefore corporate systems and data, from their own home networks. In many cases, these home networks are using consumer grade technology for items such as broadband connectivity and wireless networks, which may not be as secure as the business level technology employed by the SME in its own network. Compounding the use of these potentially less secure home networks is the issue that these home networks are also shared with others within the house. The devices others in the household use could pose an additional security threat to the SME’s systems as they may not be configured in a secure manner. In effect, the COVID19 Pandemic has extended the SME’s network perimeter from the locations associated with the SME’s business premises, to the homes of all its employees.
Another issue is the use of personal cloud services. In an effort to be productive and to enable sharing of company data, many use their own personal cloud services for email or for sharing files. This is a particular problem for SMEs that do not have the facilities in place to enable remote workers to collaborate effectively. This is of course not a big problem for those using cloud services such as MS365, AWS, Digital Ocean etc. It is highly recommended that Virtual Private Networks (VPNs) are set up to allow the secure transfer of data between systems. This is not particularly difficult to do, however, the use of VPNs is not particularly widespread unless they come with access to cloud services. So between the home user and the company office, there is often no VPN set up. Where this is the case, staff can become frustrated with the technology in place and in an admirably effort to get their work done, may employ the use of their own personal cloud and email services.
Prior to the pandemic becoming a very real issue, many SMEs did not have a large on line presence, essentially it consisted of a web site providing details about what the business did. The majority did not carry out e-commerce, selling on line, or for direct engagement with clients. However the pandemic has really been the mother of necessary invention. A large number of SMEs had to convert parts or all of their business to be delivered over the internet, and, in the rush to get the business enabled to do this, and to survive, many SMEs did not invest either time or money in ensuring that these on line services are secure. As a result many of these SMEs are now at risk of these services becoming compromised.
Turning now to low management support. I have to be careful what I say here because no owner or manager wants their business to fail. However just about every owner/manager I meet finds it challenging enough just making money and keeping their heads above water. IT and Cyber Security are not their core business, they don’t understand it particularly although they do understand its value in keeping the business going. They do rely heavily on support from outside.
Whilst is it hard to convince management sometimes, to fully support IT in the company, this is particularly true of Cyber Security. It is simply not understood that if management does not invest some time, resource and yes, money, into something that is hard to demonstrate brings direct value to the business, then the company is at serious risk of being the target of cyber criminals which can cost considerably more in money and reputational damage, than any investment up front.
In the corporate world management can rely on their own in house cyber security team to provide the advice, guidance and solutions required to protect the business from crime. Most, if not all, SMEs do not have this luxury. Instead, senior management within an SME often rely on their own knowledge of issues or what they learn from their peer networks. As such, there is low awareness amongst SMEs that they face many cybersecurity threats with many of them thinking they “are too small for criminals to want to hack them.”
Contrary to a concept that cyber-attacks occur only to large organizations, all enterprises can be similarly attacked, regardless of their size and stored information. SMEs are an interesting target for cyber-attacks, because criminals may consider them to be easy targets due to SMEs not having robust cybersecurity measures in place. In addition, as many SMEs provide services to larger organizations an SME could be of interest to cybercriminals as a way to attack the supply chain of this larger organization.
In short, it is essential that management understand the issues and take advice as to how they can mitigate their business risk in regard to Cyber attacks.