It’s not just big business that endure the most cyberattacks , small and medium sized businesses are just as vulnerable and, in many ways, more so. Cyber security for SME’s is a prioirty topic in 2018, as as far as we can tell, will stay so in the forsesable future.

Micromix specialises in the development and application of crop and plant nutrition for companies ranging from farmers through commercial fruit growers to sports turf providers. A ransomware attack encrypted 10 years of data and left them without IT systems and unable to serve their customers. To compound the issue, they had no reliable data backup. With no other choice, the company paid the ransom to retrieve their data.

According to the 2017 cybersecurity breaches survey, two-thirds of medium sized firms in the UK suffered at least one cyber security breach or attack in the previous year.

What makes SMEs vulnerable?

Some don’t accept there is a pressing need to act

While many SMEs understand the cyberthreat and spend what’s needed to protect themselves, others lag. They don’t believe it could happen to them, have other priorities or think they have all the protection they need.

Almost half of SMEs plan to spend £1,000 or less on cybersecurity in 2018.  More worryingly, a quarter don’t know how much they will spend, or if they will spend at all.

Small businesses often seen as an easier way of getting at a bigger target

Attacks on SMEs are unlikely to produce the same return to criminals as a successful attack on a large enterprise, but there’s another reason why they are attractive: they often hold data on behalf of those bigger companies.

SMEs provide services as diverse as cloud data storage, M&A consultancy and debt collection, all of which means they hold commercially sensitive data that, in the wrong hands, could form the basis of a ransomware demand to their customer.

SME’s often keep quiet if there’s a security breach

Requests for modest ransoms – hundreds of dollars, for example – are more likely to be paid by small businesses anxious to avoid the glare of publicity that could unsettle larger customers and shrink their sales pipeline.

The group behind the SamSam ransomware have used this approach since 2015 and have netted $850,000.

So, does it matter?

Financial cost of disruption and recovery

A cyberattack often results in a financial cost to the business. Although actual costs are difficult to find – not many companies will reveal them for obvious reasons – the average for a mid-sized company is estimated as £3k and £1.5k for a small business, although this rises steeply to £20k for larger companies.

However, if the full impact – reputational damage, loss of business, time taken to recover —  is added, it’s likely the actual cost will be much higher. It can take days, and often weeks, to recover from an attack. For severe data loss – like that experienced by Micromix – it could take months to restore your reputation, even if the ransom is paid.

All of this can be helped, and the worst avoided, with a robust business continuity plan, but these don’t tend to be high on the list of business priorities for a hard-pressed SME.

Reputational damage leading to customer loss

As discussed earlier, SMEs often serve bigger companies and if an attack results in the loss of their sensitive data, it could mean the end of the relationship. They also need to comply with regulations, like GDPR, that stretch across the supply chain.

A study by Cybsafe found that 30% of SMEs had to demonstrate their cybersecurity credentials when responding to tenders for new business with large firms, and over half had cyber conditions included in new contracts.

Non-compliance, and appearance on the regulator’s blacklist, means they could not only lose contracts but also be barred from government work. Ultimately, if the business impacts are serious enough, the business could fold.

5 steps for SME’s to reducing cyber security business risk

There’s a lot for businesses to do to make sure they’re well protected, but consider these a good start.

  1. Accept there is a baseline budget for cyber defence and build it into your annual business plan. The amount will vary by type of organisation — size, industry, customer type – but you should be able to work out a number. According to Gartner, organisations spend an average of 6 percent of their IT budget on IT security and risk management, but the number can vary from 1 to 13 percent. Consider it an investment, not a cost.
  2. Perform an annual cybersecurity risk and threat assessment to make sure cybersecurity doesn’t end up at the bottom of your in-tray. There are freely available checklists that help ensure you don’t miss anything.
  3. Take care of the technology basics: protect your network, control access to systems and provide secure tools for remote working.
  4. Since cybercriminals are primarily interested in data, make sure you know what you’ve got and where it is. Be extra rigorous in protecting commercially sensitive information.

Number 5 is staff awareness training, and that’s the subject of our next post

The main vulnerabilities and threats for SMEs

A vulnerability is a weakness inside the business – people, technology, business process – and a threat is an activity (human or otherwise) that exploits a vulnerability. Knowing your vulnerabilities and the threats that might exploit them is the first step in planning an effective cybersecurity defence.

Some of the more common vulnerabilities are listed below

People

Technology

Emailing to insecure address or wrong recipientUser Access Controls
Installing unauthorised software and appsUsers given access to systems they don’t need
Removing or disabling security toolsUser accounts left in place after employee leaves
Downloading & installing unauthorised appsSoftware & Hardware
Opening spam emailsVendor updates/patches not applied to hardware or software
Sharing business info on social mediaOld Browsers and vulnerable plug-ins
Connecting personal devices to company networksLegacy systems – can’t easily be updated to address latest threats
Writing down passwords and sensitive dataInfrequent or absent data backups
Insecure method for file sharingNetwork
Storing unencrypted data on mobile devicesWeak Firewall
Portable devices not stored securelyInsecure WiFi networks
Insecure passwords