It's Not Just Big Businesses that endure the most cyberattacks
Small and medium-sized businesses are just as vulnerable and, in many ways, more so. Cyber security for SMEs is a priority topic this year, and as far as we can tell, will stay so in the foreseeable future.
Micromix specializes in the development and application of crop and plant nutrition for companies ranging from farmers through commercial fruit growers to sports turf providers. A ransomware attack encrypted 10 years of data and left them without IT systems and unable to serve their customers. To compound the issue, they had no reliable data backup. With no other choice, the company paid the ransom to retrieve their data.
According to the 2017 cybersecurity breaches survey, two-thirds of medium-sized firms in the UK suffered at least one cyber security breach or attack in the previous year.
What makes SMEs vulnerable?
1. Some don’t accept there is a pressing need to act
While many SMEs understand the cyberthreat and spend what’s needed to protect themselves, others lag. They don’t believe it could happen to them, have other priorities, or think they have all the protection they need.
Almost half of SMEs plan to spend £2,000 or less on cybersecurity this year. More worryingly, a quarter doesn’t know how much they will spend, or if they will spend at all.
2. Small businesses are often seen as an easier way of getting at a bigger target
Attacks on SMEs are unlikely to produce the same return to criminals as a successful attack on a large enterprise, but there’s another reason why they are attractive: they often hold data on behalf of those bigger companies.
SMEs provide services as diverse as cloud data storage, M&A consultancy, and debt collection, all of which means they hold commercially sensitive data that, in the wrong hands, could form the basis of a ransomware demand to their customer.
3. SMEs often keep quiet if there’s a security breach
Requests for modest ransoms – hundreds of dollars, for example – are more likely to be paid by small businesses anxious to avoid the glare of publicity that could unsettle larger customers and shrink their sales pipeline.
So, does it matter?
The financial cost of disruption and recovery
A cyberattack often results in a financial cost to the business. Although actual costs are difficult to find – not many companies will reveal them for obvious reasons – the average for a mid-sized company is estimated as £3k and £1.5k for a small business, although this rises steeply to £20k for larger companies.
However, if the full impact – reputation damage, loss of business, time is taken to recover — is added, it’s likely the actual cost will be much higher. It can take days, and often weeks, to recover from an attack. For severe data loss – like that experienced by Micromix – it could take months to restore your reputation, even if the ransom is paid.
All of this can be helped, and the worst avoided, with a robust business continuity plan, but these don’t tend to be high on the list of business priorities for a hard-pressed SME.
Reputation damage leading to customer loss
As discussed earlier, SMEs often serve bigger companies and if an attack results in the loss of their sensitive data, it could mean the end of the relationship. They also need to comply with regulations, like GDPR, that stretch across the supply chain.
Non-compliance, and appearance on the regulator’s blacklist, means they could not only lose contracts but also be barred from government work. Ultimately, if the business impacts are serious enough, the business could fold.
5 steps for SMEs to reduce cyber security business risk
There’s a lot for businesses to do to make sure they’re well protected... consider these a good start.
- Accept there is a baseline budget for cyber defense and build it into your annual business plan. The amount will vary by type of organization — size, industry, customer type – but you should be able to work out a number. According to Gartner, organizations spend an averageof 6 percent of their IT budget on IT security and risk management, but the number can vary from 1 to 13 percent. Consider it an investment, not a cost.
- Perform an annual cybersecurity risk and threat assessment to make sure cybersecurity doesn’t end up at the bottom of your in-tray. There are freely available checklists that help ensure you don’t miss anything.
- Take care of the technology basics: protect your network, control access to systems, and provide secure tools for remote working.
- Since cybercriminals are primarily interested in data, make sure you know what you’ve got and where it is. Be extra rigorous in protecting commercially sensitive information.
Number 5 is staff awareness training, and that’s the subject of our next post
The main vulnerabilities and threats for SMEs
A vulnerability is a weakness inside the business – people, technology, business process – and a threat is an activity (human or otherwise) that exploits a vulnerability. Knowing your vulnerabilities and the threats that might exploit them is the first step in planning an effective cybersecurity defense.
Some of the more common vulnerabilities are listed below:
|
People
|
Technology
|
| Emailing to an insecure address or wrong recipient |
User Access Controls |
| Installing unauthorized software and apps |
Users are given access to systems they don’t need |
| Removing or disabling security tools |
User accounts left in place after employee leaves |
| Downloading & installing unauthorized apps |
Software & Hardware |
| Opening spam emails |
Vendor updates/patches not applied to hardware or software |
| Sharing business info on social media |
Old Browsers and vulnerable plug-ins |
| Connecting personal devices to company networks |
Legacy systems – can’t easily be updated to address the latest threats |
| Writing down passwords and sensitive data |
Infrequent or absent data backups |
| Insecure method for file sharing |
Network |
| Storing unencrypted data on mobile devices |
Weak Firewall |
| Portable devices not stored securely |
Insecure WiFi networks |
| Insecure passwords |
|
Kate Goldman
