SMEs quite understandably at this time have genuine concerns around cybersecurity, especially in the wake of the WannaCry and Petya ransomware attacks, the upcoming introduction of regulation in the form of GDPR and a continuous news flow around successful attacks on high profile companies. All of this is creating an environment where worries about the need to protect data and networks from cyberattacks are growing.
Increased awareness of the issue has the double-edged prospect of both bringing the issue to the attention of SMEs which is good but it also causes panic which is bad. SMEs are in many ways a target for cybercriminals because they provide an easy target; a focus on other business priorities make the barriers that the bad guys need to jump over much lower than those needed to break into a larger organisation with dedicated security teams.
Does the fact that well-known brands are successfully attacked and breached mean that SMEs are even more at risk? If SMEs can defend themselves, how should they go about doing so? It is worth exploring these questions in order to help SMEs successfully defend themselves against the myriad of threats that they face.
1. Where should SMEs be investing money for their tech security
Historically, legacy antivirus has been a staple of security and, currently, the market is experiencing a natural evolution to next-generation antivirus (NGAV). SMEs should be looking to upgrade away from ineffective, signature-based legacy AV to an NGAV solution that can provide visibility across the enterprise. It’s critical for both SMEs and large businesses to know what’s going on with their business. NGAV can help provide that visibility. If SMEs are looking for a way to boost their security postures, implementing a free, two-factor authentication for email will make it harder for attackers to gain access to corporate emails. I would also recommend anti-phishing-based email services.
2. What are the priorities?
SMEs should look to protect their most valuable assets, which more often than not revolve around data. It’s very rare that attackers are able to access data directly. Most often they look to compromise endpoints and specific accounts. Easy investments SMEs can make today to protect access to endpoints involve implementing an NGAV solution and protecting accounts through multi-factor authentication. These investments will be well worth it and provide a significant ROI.
3. What security weaknesses do SMEs have that larger companies tend not to?
The biggest security weaknesses for SMEs are often the result of limited resources, both financial and personnel. If you look at the cost to implement above average security, the cost often exceeds the budget for SMEs. The additional reality is that as these businesses grow, their costs also increase. Security skillsets can be tough to come by and are often expensive. Very few capable security professionals are willing to be the lone security person on staff. If SMEs don’t have the money to hire robust security staff, they may feel hamstrung. There are a number of free and cost effective solutions, such as NGAV, that SMEs can implement without having to break their budgets.
4. Should they be updating their operating system?
Upgrading operating systems, while considered a best practice, is not by itself necessarily worth the cost. That is to say, simply updating the operating system is often not enough to help a business owner sleep better at night. For many modern operating systems, enabling the additional security configurations require their own level of maintenance that often exceeds those the business might gain from using specific security software. So, in principle, updating outdated OSs (especially those that are end-of-life) is a good practice, but it should not be the lone security measure considered.
5. How should they protect from cyber attacks if they can't afford a dedicated service?
Keep it simple. Keep your environment simple and keep your controls simple. Entropy differs across an environment. If an SME allows employees to bring their own devices, for example, that may breed problems across the enterprises. By keeping the environment homogenous and implementing and sticking to security standards, SMEs can go a long way in establishing good security hygiene from the start. SMEs should leverage their smaller sizes as an advantage.
6. What can happen in the worst case scenario?
SMEs are built on their brand and reputation. Unfortunately these smaller business are unable to absorb the same brand hit associated with a breach that larger organisations can. One compromise can have a much bigger impact and potentially cripple an SME. One wire transfer that doesn’t come in because it was redirected to an attacker’s account has the potential to bankrupt the business. While I wouldn’t say that’s extremely common, it’s certainly a fear that keeps SMEs awake at night.
This advice should help SMEs to feel more confident in their ability to successfully defend themselves in a world experiencing ever more cyber-attacks. SMEs shouldn’t feel that the fact big brands are being successfully breached means it is inevitable that they will be but on the flip side it clearly doesn’t mean that they shouldn’t invest in defence. The price is too high not to. Thankfully, simple measures can be put in place to keep SMEs secure.
The cost of not keeping customer data or business critical information safe and secure can be very high, therefore putting in place barriers to effectively deter attackers should be a priority for SMEs in the same way that accounting is. Cybersecurity is a vital business function and it should not be managed as a one-time effort; it requires consistent attention; just as traditional business functions do.
For those SMES with remote workforces it is even more vital to protect access to endpoints and this will involve implementing an NGAV solution and protecting accounts through multi-factor authentication. Security programmes need to reflect the modern working environment where workforces are increasingly mobile and so there needs to be a focus on protecting endpoints; this is key to staving off growing threats such as non-malware and ransomware.
Source: Michael Viscuso, Co-Founder and Chief Executive Officer, Carbon Black