The COVID19 crisis showed how important the Internet and computers in general are for SMEs to maintain their business. In order to survive the pandemic and to continue in business many SMEs had to take business continuity measures such as adapting to cloud services, upgrading their internet services, improving their websites, and enabling staff to work remotely. Sadly many just moved to remote working without taking any precautions, or the minimum they thought they could get away with.
Contrary to a concept that cyber-attacks occur only to large organizations, all enterprises can be attacked regardless of their size and stored information. Based on UK Cybersecurity Breaches Survey7 “almost half of businesses (46%) and a quarter of charities (26%) report having cybersecurity breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (68%), large businesses (75%) and high-income charities (57%)”. But by no means are small businesses exempt.
The common underlying issue to all appears to be management awareness and commitment, which in turn drives budget, allocation of resources and effective implementation of the cybersecurity practices. Six categories of major challenges for SMEs have been identified:
- Low cybersecurity awareness of the personnel.
- Inadequate protection of critical and sensitive information.
- Lack of budget.
- Lack of ICT cybersecurity specialists.
- Lack of suitable cybersecurity guidelines specific to SMEs.
- Low management support.
Some of you who are amongst my regular readers, will be quite well aware of my mantra in regard to Cyber Awareness Training for staff and managers. A big misconception is that because cyber security can be a complex issue connected to technical measures, it lies squarely within the realm of IT. Wrong. Cyber security needs to be part of the culture of the organisation, second nature to all. Staff need a basis awareness and how their attitude and actions can have a damaging effect on the business. A report for ENISA, the EU security agency, suggests that 84% of Cyber attacks rely on some form of social engineering, and that the number of phishing attacks within the EU continues to grow. This is echoed in the UK.
Budgets remain a problem. Many SMEs are low margin organisations, heavily reliant on cash flow, and therefore reluctant to spend on things that are not connected to their core business. But they must get used to asking themselves, ‘Is IT part of my core business?’, and, ‘how long could I continue to operate my business if I lost my IT systems?’. Cyber security needs to be factored into that IT budget. Cyber security is an iterative process, it isn’t something that needs to be done once and then forgotten about. The criminals are constantly evolving and defences must evolve with them.
Cyber security expertise is something that isn’t cheap and easy to obtain. Many IT companies will talk about their expertise in this area but if you delve into that, it is generally focused on products, mainly firewalls and anti-malware. Cyber security expertise goes much much deeper than that, and is as much procedural as it is technical. It starts with risk management, ie understanding the risks you face, which in turn is derived from threat and vulnerability analysis, matched to your cyber security assets. Those latter are not necessarily hardware and software, but can be much more wide ranging than that. Typically the type of person who can legitimately call themselves experts in this field, can command salaries north of £80K. I doubt there are many SMEs prepared to pay that, or indeed, many of the smaller IT companies.
It can also be advantageous to follow a standard. By far the most comprehensive is the International Standard for Cyber Security, ISO27000 series. However this might be seen as a little heavy for many SMEs, although at the higher end, they may want to follow it, rather than seek certification. At the lower end the UK Cyber Essentials scheme, mandated for anyone wishing to do business with the public sector, is very suitable, inexpensive and obtainable.
More and more SMEs are now moving to a cloud environment. Be it MS365, Amazon Web Services, Digital Ocean, amongst others. I usually recommend that SMEs take this approach as it can solve a lot of problems, particular with home working still very much in vogue. However it is not the panacea that most think it is and still has some security issues, usually but not always at the user end, that need to be addressed.
Here at H2 we use our long experience of providing cyber security solutions to the large enterprises, to craft solutions for the SME community, having first identified the issues that the business faces. We take an approach that looks at things from the business point of view, managing risk and coming up with cost effective solutions which can be brought in in a phased way, for a subscription price. No large bills to damage that all important cash flow.
For more information, contact Kevin Hawkins of H2 Cyber Risk Advisory Services:
T: 0845 5443742
M: 07702 019060