In a knowledgeable article created by the European Union Agency for Cybersecurity, ENISA, outlines the cybersecurity challenges small and medium-sized enterprises (SMEs) in the EU face, you can check out the full article here for more details.
Unlike the common perception that cyber-attacks occur only against large organisations, all organisations can be similarly attacked, no matter what their size. These days, organisations will not be judged by the fact they suffered a cybersecurity breach, but they will be judged by how well they handle and respond to the breach. This is a why it is essential for all organisations to be secure, or at a minimum, have the ability to react to a breach effectively. This article looks into how SME’s adapted to the covid-19 crisis and illustrates the importance internet and computers are in general to maintain their business, it shows the cyber security challenges faced by SME’s.
Interestingly many SME’s believe that all their necessary cybersecurity controls are included in the IT products that they purchased and that no additional security controls are necessary. This shows that most SME’s do not realise the potential resultant risks posed to their business if they do not have adequate cybersecurity controls.
Challenges faced by SMEs:
Seven categories of major challenges for SMEs have been identified in the ENISA article, they are as follows:
· Low cybersecurity awareness of the personnel
· Inadequate protection of critical and sensitive information
· Lack of budget
· Lack of ICT (Information and communication technology) cybersecurity specialists
· Lack of suitable cybersecurity guidelines specific to SMEs
· Shadow IT, i.e. shift of work in ICT environment out of SMEs control
· Low management support.
Real Life Cybersecurity incidents that have occurred in SMEs:
As stated above, there is an assumption that cybercriminals prefer to target larger organisations as they may be more of an interest due to having access to larger amounts of money. However, cybercriminals often prefer to attack smaller firms as there is a higher likelihood of these companies not having sophisticated cybersecurity measures in place and therefore easier for criminals to compromise.
Below are examples of the type of security incidents that have occurred within SMEs:
· IT service provider company ransomware
· Stolen laptop – leading to the criminal accessing confidential data
· Email account hijacked to facilitate fraud
· Ransomware PC & Server
Our recommendations for SMEs:
The recommendation is to follow the core cybersecurity fundamentals that can be summarised in the following areas: People, Process and Technology.
People – Help your people be responsibe by gaining employee buy-in to being secure. Use employee awareness messages and provide basic cybersecurity training on the company security policies. Make sure to understand if you have third party access to your systems and manage what risks these pose for the company.
Process – There are basic audits you can have run such as against Cyber Essentials - these can help you put the right processes in place for any gaps. Having a basic security incident response plan will insure the company can react to a breach effectively. Good password practices are a must - make sure to adopt a basic password policy that everyone understands.
Technology – Keeping on top of software and hardware patching is essential for good data protection. Where possible, make sure the basics are in place such as good network security, anti-virus, encryption, security monitoring, physical security and secure backups.
Contact us for more information on how we can help assist with the challenges discussed above and how we can help with implementing the above recommendations to your company.