Cyber security challenges for SMEs are increasing. With attacks on smaller companies on the rise, what advice can we offer?
I sat down for a chat with Patrick Martin, Head of Threat Intelligence at Skurio to find out:
- What are the biggest challenges for SMEs when it comes to cyber security?
For most SMEs, dedicated cyber security resources simply aren’t an option. Skilled resources are hard to find, hard to keep hold of and expensive. Finding security solutions that are designed so that IT generalists can use them can be tough.
- Which areas of a small business are particularly vulnerable to attackers?
SMEs tend not to have full time security staff. This can mean valuable assets like customer information, including payment details might be vulnerable. This information can be sold or traded with scammers or potentially used to plan more complex attacks. Complex attacks are typically designed to go for a larger single payoff. In particular, the accounts team or anyone who has the authority to request a payment to a third party is the prime target.
Another aspect of an SME’s business that makes them potentially vulnerable, is their reliance on third-party applications and web services.
Why SMEs are in hackers' crosshairs
- What types of attacks are most successful? What type of data are hackers after?
At Skurio, we’ve seen targeted activity including phishing and spear-phishing attacks first-hand which are a growing trend. What's more, they are almost impossible to prevent entirely – especially when they originate in the supply chain. Awareness and training are vital in combating these attacks. Hackers will typically start with exfiltrated user credentials which are purchased or shared on the Dark Web. These can provide a way into email accounts. A hacker will then monitor and sometimes manipulate these accounts for weeks or even months. Eventually, the hacker will spot a chance to trick a target company into altering a planned payment which is diverted to an account that can be accessed by the hacker. Businesses that regularly deal with transactions involving large sums of money, e.g. £100k+ are particularly vulnerable and we have seen evidence of this loss.
- How can small businesses find a solution that balances enterprise-grade security but is also easy to install and easy to use interface. Do you need a full IT team to run and manage cyber security properly?
Small businesses can make massive improvements to their cyber security without breaking the bank. Awareness, password management and making use of multi-factor authentication that good, modern applications offer are quick, easy and low-cost options. And, any business can put these into place without having specialist expertise. Securing the supply chain is also key. Look for suppliers with certifications like Cyber Essentials Plus and BS ISO/IEC 27001. Don’t be afraid to ask suppliers and partners to provide proof of credentials and practices.
Another great first step is to deploy a Digital Risk Protection solution. This will monitor the opaque and dark parts of the web for breached data, credential breach protection and mentions in attack planning scenarios. In this way, businesses can be much better prepared to mitigate an attack if they see it coming.
- Is cyber security more of a burden than it should be for small businesses? Is there a way to make it a business enabler rather than holding back teams?
Unfortunately, a real shortage of skills puts specialist resources out of the reach of small businesses. Failing to take any action at all, however, can prevent businesses from adopting the kinds of digital transformation techniques necessary to remain competitive. Digital transformation can help businesses improve customer experience and productivity – good cyber security practices simply enable this transformation without increasing vulnerabilities.
- How can managers/owners get their team on board with cyber security best practices?
Initiating awareness training is a great way to instantly improve the chances of blocking attacks and getting people on board. The NCSC have some great resources: https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available