The pandemic tested the business resilience of every organisation. Small and medium sized enterprises (SMEs) had to maximise their digital footprint to keep operational, service their customers and survive. Just as companies are starting to return to some semblance of new normal, another threat is on the horizon. The pandemic has fuelled an increase in cybercrime that shows no signs of abating.
Small and medium sized enterprises caught in the cross hairs
The speed with which companies had to digitally transform their businesses during the pandemic has increased their cyber vulnerabilities. More companies are conducting their business online and cybercriminals are rubbing their hands in glee at the opportunity this presents.
Many SMEs underestimate the threat, believing they are too small to be a target. Attacks on big brands make the headlines and the jargon used to describe vulnerabilities and malware is complex, making it appear to be a big enterprise issue. It’s easy to see why smaller companies shy away from tackling an issue they hope will never happen.
The reality is that cybercriminals are organised and operate like a business with shop fronts on the dark web. They even have interactive customer support services to make it easier for victims to pay their ransom demands. Cybercrime operators know that going after large companies is risky and carries greater repercussions from law enforcement. All they want are quick and easy paydays and SMEs represent a fertile training ground for new operators to build up experience, tools and reputation. Attacking SMEs might be less lucrative, but there are more of them, and they are an easier target to hit. The devastation to livelihoods and human misery caused has no bearing on a hacker’s thinking, it’s business, not personal.
The anatomy of a simple attack
The majority of cyberattacks are not complex, they don’t need to be. The CEOs of big brands may speak of the ‘sophisticated and complex attacks’ on their systems when trying to justify to customers and suppliers why their data was breached. However, post-attack analysis doesn’t back this up.
The WannaCry attack that caused mayhem across the world in 2017 exploited a known software vulnerability that should have been patched years earlier. Companies that patched the software bug at the time it was issued remained unscathed. For the ones that didn’t, it was a tough year with costly remediation work to systems and significant brand damage.
To add insult to injury, WannaCry was initially spread through a phishing campaign. Spam emails containing infected links or attachments were sent to employees. The unknowing recipient, who probably had never received any training on how to spot a spam email, clicked the link. It only took one employee, clicking on one infected link and an entire company was infected. Who needs sophisticated attack methods when an email will do?
Cybersecurity is necessary but it doesn’t need to be complex
Cybersecurity is not a luxury, it’s a business necessity and it’s also a business enabler. If your company is secure, you can get on with the day job knowing you have done all you can to safeguard your business.
As the WannaCry attack showed, cybersecurity needs to become a habit within a company, or something will get missed. Having IT systems but no strategy to protect them is like going out and leaving your front door and all your windows wide open. You may get away with it once or twice but is it really a risk you want to take?
Keeping cybersecurity simple – where to start?
Starting on the path to securing your organisation can be hugely daunting. There are so many solutions on the market, with different features, benefits and price points that it can be difficult to know where to begin.
The National Cyber Security Centre, the technical authority in the UK, has created Cyber Essentials (CE), a simple but effective scheme to protect companies against a whole range of the most common cyberattacks.
Cyber Security Policy Manager (CSPM) helps you implement CE, delivering a clear path for SMEs to create a security strategy in easy-to-manage steps. The five fundamental controls are embedded within CSPM, providing you with a simple step-by-step process to developing security policies and procedures. Companies are given prompts and guidance at every stage, in jargon-free language. CSPM has been designed so that companies can guard against cyberattacks, without needing expensive security consultants. CSPM also provides educational videos so employees are made aware of how to defend themselves from cyber-attacks.
Companies can work their way to certification by evidencing they have implemented five fundamental controls. These controls can mitigate 80% of common cyber risks such as hacking, phishing, malware infections and social engineering attacks. The benefit of certification is it sends a clear message that cybersecurity is something your business takes seriously.
Certification can reassure customers and suppliers that you are working to secure your IT systems and safeguard their data against cyberattacks. It is a great way to demonstrate that cybersecurity is more than a tick box exercise to your existing customer and suppliers. It also opens the door to attracting new business and building your reputation as a trusted supply chain partner.
You don’t have to go it alone
There is no secret to mitigating a cyberattack, it’s the same process as protecting a house. Make yourself a harder target by blocking the obvious entry points and unless the attacker is very determined, they will move on to a softer target. If you don’t know where to start, Policy Monitor can help. We are attending International Cyber Expo at Olympia in September; you will find us on Stand B40 in the IASME Pavilion. Register for FREE tickets here: https://ice-2022.reg.buzz/website-header
Written by: Nick Denning, CEO at Policy Monitor