Last reviewed 18 May 2022

As we move out of the pandemic, has cyber security changed for small enterprises? How did working from home factor into their security stance, and how are SMEs approaching their security today?

According to the 2022 Global Threat Report from Crowdstrike, ransomware attacks have seen a massive 82% increase over the last year. And cloud-based vulnerabilities are also increasing as remote working and remote network access became more widespread as the pandemic deepened. Also, with over three-quarters (80%) of cyber security incidents using identity-based attacks, the human component of digital security across your business can’t be overstated.

“WannaCry, and similar attacks are indeed alive and well today,” says Ric Longenecker, Chief Information Security Officer at Open Systems. “The reality is that there are still so many unpatched systems that remain vulnerable to infection, and many of these systems may or may not be able to support modern EDR or other security solutions. Additionally, companies face other factors that amplify the threat of WannaCry, including their growing collections of point security products.

“Rather than improve security, the inherent complexity of managing so many tools typically results in misconfiguration and misalignment errors that create gaps in coverage. The challenge for companies is to fully utilise the right tools — not simply deploy more — also to continuously and comprehensively monitor their larger attack surfaces in order to detect and isolate compromised devices before it impacts the business.”

Speaking to us, Adam Seamons, Systems and Security Engineer at GRC International Group explained the speed of change because of the pandemic lead to lax digital security across many businesses.

“The pandemic pushed many businesses to the limit, with falling sales and increased expenses. Many firms were faced with making snap investments in remote working tools such as VPNs, clouds services, video conferencing and additional hardware such as laptops, headsets, and webcams. These implementations made by businesses to quickly accommodate for remote working, consequently, gave them little time or resource to assess the cyber security impact, which became an afterthought or was completely forgotten about.”

Developing and then maintaining a strong, flexible and adaptable cyber security policy is a business imperative. Moving forward, securing what will increasingly become mobile threat perimeters as mass remote working becomes the norm, digital security must be top of the business development agenda.

Digital protection

In this head-to-head interview we spoke with Roy Shelton, CEO at Connectus Group.

What is your assessment of the current state of small business cyber security?

“Too many small businesses are still not putting enough emphasis on cyber security. In the majority of cases businesses are being reactive rather than proactive and only boosting their defences once a breach has happened. Small businesses need to conduct regular and continuous checks in this area and constantly ask: can we do more?”

How has the pandemic impacted on the cyber risks SMEs face?

“The pandemic caused an increase in both the likelihood and impact of cyber attacks, as organisations react rapidly to potentially significant operational and financial challenges. The nature of the threat is also changing, with attackers exploiting uncertainty and unprecedented situations.

“Covid-19 has created new opportunities for cyber threat actors and the steps that organisations should take to mitigate these risks. It has forced organisations to shift rapidly to remote working at scale. This is likely to have a significant impact on both IT infrastructure requirements and the attack surface. Criminals have adapted, with hundreds of new Covid-19 themed phishing lures being created each day. Criminal and state-sponsored campaigns have sought to exploit Covid-19 and they will also use VPN and video conferencing software lures to take advantage of users unfamiliar with remote working.”

What kind of cyber attacks are now being used to target smaller businesses in particular?

“The biggest, most damaging and most widespread threat facing small businesses are phishing attacks. Phishing attacks have grown much more sophisticated in recent years, with attackers becoming more convincing in pretending to be legitimate business contacts. Malware is the second big threat facing small businesses. 

“Ransomware is one of the most common cyber attacks, hitting thousands of businesses every year. These attacks have only become more common as they are one of the most lucrative forms of attacks. Ransomware involves encrypting company data so that it cannot be used or accessed, and then forcing the company to pay a ransom to unlock the data. This leaves businesses with a tough choice — to pay the ransom and potentially lose huge sums of money or cripple their services with a loss of data. Small businesses are especially at risk from these types of attacks.

“Another big threat facing small businesses is employees using weak or easily guessed passwords. Many small businesses use multiple cloud-based services that require different accounts. These services often can contain sensitive data and financial information. Using easily guessed passwords, or using the same passwords for multiple accounts, can cause this data to become compromised. SMS text and call back scams claiming to be from the NHS or HMRC are a huge risk to unsuspecting businesses owners and staff.”

What are the practical steps small business leaders can take today to raise their digital security?

“It is vital to train employees in security principles and establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cyber security policies.

“Having the latest security software, web browser, and operating system are the best defences against viruses, malware, and other online threats. Regularly backup the data on all computers.

“Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud. Patch management, regular vulnerability scanning and penetration testing is also vital to ensure your company remains protected.”

As remote working becomes the norm, how does this impact the cyber security small businesses need to develop?

“Remote work means an employer has less control and visibility over employees’ data security. A strong remote work policy that outlines the corporate access control policy ensures compliance with GDPR, reduces risk, and keeps data safe is vital. It should outline which employees have access to corporate servers, what data they can use, and how they can use it as part of their daily tasks.

“Also, remote working also increased the risk of malware and other hacks which are delivered via phishing email attacks. These emails have become so sophisticated that it’s increasingly difficult for employees to detect them, especially if they make it past the corporate email filters into their inboxes.

“Training employees on how to detect and avoid phishing emails can reduce the risk posed by these emails. It should be implemented for both existing and new hires to ensure that everyone is aware. Companies should also schedule regular training and refresher courses for phishing detection to keep employees updated on the latest risks. Regular reminders and training are especially important for remote employees using their own software or devices to access the corporate network. Security teams should also tailor the training to incorporate non-standard or non-corporate devices, such as personal devices or tech stacks

“The growing trend of working from home / coffee shops / hotel lobbies has also increased cyber threats to the insecure nature of connecting to public Wi-Fi or simple residential home broadband being use to connect to businesses infrastructure and accessing cloud based applications.”

What does the ideal small business cyber security tech stack look like?

“There is no one size fits all stack. Each business will have different needs. If you are an SME, cyber security might seem impossibly complex and filled with endless pitfalls. But although there’s a lot at stake — with ineffective security measures potentially threatening your productivity, your bank accounts, and your employees’ and third parties’ personal data — the path to effective security needn’t be difficult. If an SME is reluctant to invest in cyber security practices, it is more likely to fall victim and will experience exponentially larger costs as a result. In some cases, the damage will be insurmountable.

“You cannot cut corners when it comes to cyber threats. However tight your budget, you simply must find a way to address cyber security. There are very cost effective and proven approaches to protecting your SME businesses by subscribing to a cyber managed service which provides initial and ongoing training and awareness, proactive protection and incident or crisis management in the event of a breach.”

Cyber security checklist

As your business re-draws its digital transformation roadmap in the wake of Covid-19, use this checklist to ensure your company is protected from all forms of cyber attack.

  1. Ensure business-grade cyber security applications are installed and up to date.

  2. Audit your business to identify all the digital devices in use — including any personal devices used by your workforce. This overview will enable a detailed and comprehensive security policy to be created.

  3. Constantly educate your workers to develop good cyber security behaviour and awareness. The human component is any digital security plan is often its weakest link.

  4. Think about the levels of security across your business. Do all employees need the same level of access to sensitive information? Limiting this access can have a significant positive impact on data security.

  5. Back up your data. This is essential to combat the rise of ransomware in particular. Businesses still often do not have a comprehensive data back-up and recovery system in place.

  6. Adopt multi-factor authentication to access the most sensitive information. This should form the core of your company’s digital security stance.

The security landscape that all business must now navigate has continued to evolve. Phishing, malware and ransomware are all clear and present dangers. However, businesses are not powerless victims. With a well-designed and deployed security policy even the most serious attack can be mitigated.