Mark Logsdon, cyber resilience expert, AXELOS, details the first steps SMEs should take to bolster cyber security
While it is true that small-medium sized enterprises (SMEs) do not need to worry about some of the issues that are of concern to large organisations, such as shareholder demands, cyber resilience is one that SMEs do need to pay attention to just as much as their larger counterparts.
Almost three-quarters (74 percent) of SMEs experienced a cyber-attack last year and the average cost of these attacks was between £75k and £311k, according to PriceWaterhouseCoopers 2015 Information Security Breaches survey.
It is clear that SMEs no longer have a choice on whether they need to invest in cyber resilience. The fact that they don’t get as much publicity when attacked does not mean that these incidents don’t impact on an SME’s operations, reputation and ability to survive in a fiercely competitive market. In fact, SMEs may not be able to recover from a cyber-attack as quickly and smoothly as large organisations due to a lack of resources and availability of appropriately trained staff to help them respond and recover in the aftermath of an attack.
Customer data is of particular interest to criminals and if this data falls into the hands of attackers, SMEs risk being fined up to £500k by the regulator, i.e. the Information Commissioners Office. Sanctions of this magnitude can be enough to put SMEs out of business and the reputational damage alone may be enough to destroy the company.
Regardless of resource availability, there is a lot that SMEs can do to defend themselves against a cyber-attack, including:
Employees are often the easiest route for attackers to gain the access they require to mount a cyber-attack. A large proportion of all incidents begin with a phishing and/or a social engineering attack. The good news is that preventing these types of attacks is fairly inexpensive and straightforward – the solution being to empower employees through cyber awareness training. Education and learning awareness programmes must move beyond a compliance ‘tick-box exercise’, towards truly engaging and informing employees in a relevant way can mitigate against these common occurrences.
With these type of attacks, no one in an organisation is safe from being an unwitting victim, so an education and awareness initiative must involve everyone within the organisation regardless of their role or seniority.
Once this training has been developed, the organisation is by no means fully protected. Vigilance must be adhered to on all cyber matters, which means that any new practices or methods for protecting against attacks will need to be integrated via refresher training for all employees. It is also important for organisations to ensure that new hires are properly informed on cyber resilience via their induction packs and compulsory new starter training.
SMEs can also find advice on cyber resilience from sources such as the UK government’s Cyber Essentials Scheme which outlines the basic steps all organisations should take to protect themselves against the threat of attack.
Similarly The UK Government’s National Technical Authority for Information Assurance (CESG), which advises how organisations can protect their information and systems against threats, has developed 10 steps to cyber security. SANs, a cooperative research and education organization, has also produced a top 20 critical security controls list for organisations to adopt. These sources can be useful for SMEs in understanding what they should be doing at a minimum to protect against risk of a cyber-attack.
Finally, cyber risk insurance can be a useful way of mitigating the consequences of a successful cyber-attack. However, it is difficult to price and coverage is often very limited.
These top tips identify where SMEs can enhance their cyber resilience. Education is cost effective and crucial in ensuring employees do not unwittingly allow their organisation to become a victim of an attack. SMEs cannot afford to adopt the view that they are too small to be targeted – often they are a small piece in a wider chain of activity by cyber attackers, providing a way into a much larger, more lucrative target.