Cybersecurity: Why are the solutions not good enough?
7 min read
11 June 2019
The frequency and cost of reported cyber attacks on SMEs are growing, how can they better protect themselves?
A recent government cybersecurity survey showed a fall in the number of businesses reporting cybersecurity breaches or attacks in the last 12 months. However, for the third of businesses reporting cyber attacks the frequency and costs of those attacks are up significantly.
This suggests SMEs may still need to do more to protect their assets, sensitive data, intellectual property and reputations from cyber threats. In the past, there has been the misconception that it’s only the big companies that are likely to be targeted. But criminals don’t care about size and ownership structures, what they care about is:
● Do they have money I can steal?
● Do they have personal, financial, intellectual property or otherwise sensitive data I can steal or leak?
● Do they have IT or operational systems I could disrupt to extort money or just to make a point?
● Can I easily get around their cyber defences?
Cybersecurity isn’t just about technology; it involves people, information, systems, processes, culture and physical surroundings.
SMEs need to create a secure environment where they can use technology and remain resilient in the event of an attack potentially preventing loss of earnings, reputational damage and now the imposition of fines.
People will always be at the heart of long term cyber resilience. In the survey, the majority of businesses that identified a breach or attack in the last 12 months had experienced phishing attacks.
It is not a surprise that this type of attack is still so prevalent and why many successful attacks are accidentally caused by employees. The emotional engineering used relies on our basic human nature to be helpful and there are many tricks that attackers use to play on this.
This is a big challenge for businesses to overcome and it’s important that all employees are trained on the consequences of social engineering and know when, and when not, to divulge information or click on a link or attachment in an email.
Carrying out ethical phishing attacks and working with teams across the business on the results can be very effective. Someone will always remember when they have clicked on something they shouldn’t have and will then be much more vigilant in the future.
I’m not who you think…
Impersonating organisations in emails or online is another common threat mentioned in the survey, where hackers pretend to be someone senior in the business or a third party seeking payment or sensitive information.
These attacks are targeted at individuals and often very persuasive.
A product of the glut of personal information now shared via social media, the response continues to be ongoing education and awareness raising of the threats in the workplace, and in our everyday lives.
Many businesses start with an assessment of security behaviours to identify broader cyber risks in the business. This helps raise security awareness amongst senior executives, and encourage a culture of secure behaviour across the business.
An ongoing programme of online training, participating in simulated attacks and behavioural interventions can then start to embed secure mind-sets across the business.
Mind the gaps
Over a quarter of the businesses identified viruses, spyware or malware attacks in the last 12 months. Cybercriminals will continue to turn to ‘the path of least resistance’ seeking out the slightest vulnerability in a business’ defence.
It is incredibly important to fully understand how all websites and IP addresses within the business are being controlled. This will help give confidence that internet-facing systems, including those that are run by third parties are secure.
This is about getting the basics right which includes applying software updates when available, installing firewalls with appropriate configuration, using up-to-date malware protection and restricting IT admin and access rights to specific users.
If businesses do not have the basic cyber defences in place it makes them a very easy target for cyber criminals, and critically they won’t have the necessary capability in place to know and detect an attack.
The reality is you still may not be able to prevent a breach, but you can control how you respond.
In our experience, businesses which have taken steps to prepare for security incidents respond more rapidly and effectively.
This should never be a tick box exercise and include documented and exercised response plans with people from across the business. Nothing can be left to chance.
Where to start?
SMEs are particularly attractive to hackers. While you focus on growing and expanding your business, your cyber defences may not always be adequate and one simple oversight can make you a target for cybercriminals. A good starting point is to ask the following three questions of your business:
● How do we ensure our security is aligned to the external threats we face and our own risk appetite?
● How many third parties hold or access our systems or sensitive data? How do we ensure they meet our security standards?
● What is our response plan for a cyber breach? Have we tested this?
Approaches to cybersecurity are changing and there are innovative point solutions to particular problems being developed all the time. It might seem that there are more questions than answers but in reality with the right advice, training, creating the right culture and the application of some good old common sense, we can make life more difficult for the cybercriminals and reduce the chances of businesses becoming another victim of cybercrime.