Last reviewed 21 April 2020

Protecting the digital assets of a business and the customer information that is now collected, is critical. Dave Howell assess how small businesses can protect their systems and their customers from attack.

As larger companies have improved their cybersecurity systems, cybercriminals are increasingly switching their focus to smaller firms who may have lower levels of security across their businesses. According to the National Cyber Security Centre, SMEs have a one in two chance of experiencing a cyber breach.

Senseon in their report into the state of SME cybersecurity succinctly advised: “SMEs cannot adopt the mindset that they are too small to matter, as to cybercriminals, or for the purposes of indiscriminate attacks, it simply isn't true. With the increase of attacks, SMEs have never had to work so hard to defend themselves.”

According to research commissioned by OGL Computer, 81% of SMEs confirmed that they are increasingly worried about cyberattacks and their frequency.

The report also highlights newer technologies such as 5G, robotics, AI and automation that UK-wide SMEs plan to adopt. Nationally, 5G is a firm favourite with SMEs, with 59% of surveyed SMEs planning on adopting this emerging technology, followed by robotics (55%) and automation (39%).

Colin Dennis, Head of Technical Operations, OGL Computer, says: "Cybersecurity has been front of mind for SME customers for some time now, as awareness of cyber-risks continues to rise. Proactive management of IT requirements is in many ways connected to this trend, as businesses of all sizes look to compliance requirements as well as asset protection and disaster recovery."

Increasingly, SMEs are looking to automate as much of their cybersecurity. The expansion of AI and its capabilities are bringing new tools onto the marketplace, SMEs can deploy. However, all small enterprises should first look at their staff and increase education and awareness of the cyberthreats they face.

Deloitte cyber risk partner, Peter Gooch, says: “2020 will see more deployment of security automation tools. Where this is done well, it will allow organisations to adapt rapidly to changing attack tactics. Where it is done poorly, it will be more complicated to unpick.”

Good cybersecurity hygiene is often the most effective method of preventing damaging attacks from taking place. Simple steps such as using strong passwords and being aware of unexpected email attachments can have a significant influence on reducing the instances of cyberattacks your business could face.

When it comes to the security approaches that will mitigate the risks which dominate in 2020, David Boda, Head of Information Security, Camelot Group, believes ‘back to basics’ is best. “A focus on robust and timely access control and patching will still give the biggest reduction in risk for the majority of organisations across all sectors. These are the two areas that vendors, consultants and end-user organisations should all be talking about."

Threat perimeter

The first step businesses should take to develop strong security is to understand the whole threat landscape your company could be exposed to. Your business could be hit by indiscriminate attacks such as the 2017 ransomware attack WannaCry. Other risks including phishing, malware, trojan horses and virus attacks and, the often-overlooked insider attackers perpetrated by employees.

Performing a vulnerability assessment of your business's systems is critical. This will identify areas across your enterprise that require stronger security to be developed. Business in the Community has a handy tool [] you can use to assess your company’s readiness.

Stephen Ridley, cyber underwriting manager at Hiscox, spoke with Croner-i: Small Business Essentials beginning with his response to a question about the general cybersecurity challenges SMEs are currently facing.

“The biggest challenge is the risk is constantly shifting, and SMEs are less likely to have an individual with specific responsibility for monitoring and responding to this risk, nor the budget headspace to implement every mitigation measure possible,” Ridley said. “Knowing what steps to take to reduce the risk most cost-effectively is really difficult when there is so much noise in this space.”

With limited resources how can small businesses protect themselves from cyberattacks?

“Focus on the basics, and the things that are most relevant. Most mass-market cyberattacks are from criminal gangs who are looking for the low hanging fruit; some simple (and often inexpensive, or even free!) steps can deter the vast majority of these attacks. Look at measures such as:

  • The Government’s Cyber Essentials accreditation.

  • Training employees on cyber risk – human error plays a part in roughly two-thirds of incidents that we handle.

  • Implementing multi-factor authentication for online accounts (especially Office365, GSuite or equivalent) – this will prevent most instances of Business Email Compromise that we see, which is our most frequent cause of claim.

  • Regularly backing up key systems and having these backups disconnected from the main network. This significantly mitigates the impact of ransomware claims, which is our second most frequent cause of claim.

Is it a mistake to think that having several cybersecurity tools in use will fully protect a business from attacks?

“Absolutely. Much the same as any area of risk, there are things that you can do to reduce the chances of something going wrong, or minimise the impact if it does, but there is no such thing as being totally secure. If we think about it in the physical sense, you can put the strongest locks on a building's doors, install a burglar alarm and put shutters on the windows – all of which will act as a deterrent, reducing the risk of burglary and possibly shorten the response time if one does occur. Still, it doesn't completely remove the threat.

“Exactly the same principles apply to cybersecurity – the steps above will reduce, but not eradicate the risk; that is where insurance fits in as a risk transfer mechanism to offer businesses balance sheet protection against those incidents that do still happen.

“Cyber also has the added dynamic that the risk is constantly shifting, and systems and processes that are secure (or at least thought to be) one month may not be the next, as new vulnerabilities are discovered, or as criminals develop new attack techniques.”

Why are people still often the weakest component of a security policy?

“In a world where everything moves at such a fast pace, making mistakes is incredibly easy. Add to that the fact that criminals are getting increasingly sophisticated in how they target people, and it’s a really tough challenge for businesses. In the past, phishing emails were pretty easy to spot with a bit of reasonably basic knowledge.

“We are now in a situation where these emails can be crafted to look near identical to the brands that they are trying to masquerade as. You often have to really interrogate the content of the emails to spot whether they are genuine or not.”

What future cybersecurity challenges will small businesses have to defend against?

“The main challenges will be the increasing number of network-connected devices that businesses have – particularly Internet of Things devices – as well as the continued proliferation of attacks as more and more of the criminal fraternity look to exploit the internet, and the added connectivity that 5G mobile networking brings.”

Protecting assets

What has become crystal clear over the last few years is that cybersecurity must be an integrated response to several threats. Too often, security systems will be installed that look for just one type of cyberattack – antivirus applications, for example. Today businesses have a wide threat perimeter to defend.

Says Greg Day, VP & CSO, EMEA at Palo Alto Networks: “We are moving towards an ever more interconnected world. Today, many organisations have supply chains, and they are starting to get used to shared security models as they move to the cloud. With 5G and the growth of IoT, that mesh of interconnectivity will only grow as will the complexity of who's involved in a digital process. Shared security models will become shared security ecosystems.”

With Senseon also advising: “SMEs should look towards solutions that go beyond pure anomaly detection to avoid being inundated with false-positive alerts that waste precious time and resource. Instead, seeking revolutionary approaches that can think like a human analyst by observing threats from multiple perspectives, pausing for thought and learning from experience to carry out automated investigations, will ensure that SMEs have the best chance of defending themselves from present and future cyberattacks.

“Adopting AI solutions is a step in the right direction. Our research indicates 81% of SMEs believe that AI is fundamental to the future of cybersecurity. The question is not so much about the desire to implement AI, but rather how SMEs, both new and established, can create a comprehensive business case for taking advantage of the technology and getting the most from its benefits.”

As cybersecurity threats evolve, so should your businesses defences. Automated systems will continue to develop and offer smaller enterprises, in particular, cost-effective services. Security, though, starts at home. Having a security-aware workforce is one of the most effective ways to prevent cybersecurity attacks occurring. And when incidents do take place, a detailed reaction policy will ensure any damage is kept to a minimum.