The small to medium enterprise (SME) isn’t being ignored by cybercriminals. The tide of ransomware and hack-and-attack isn’t sliding past organisations with low headcounts and fresh footprints. Everyone is vulnerable, everyone is being targetted, but not everyone is prepared. Most large organisations have plenty of security protocols in place thanks to hefty budgets and IT teams. Smaller businesses, on the other hand, rarely do. And most don’t understand what security they’re supposed to invest in, or why.
The Symantec 2016 Internet Security Threat Report found that small businesses were the target of 43% of cyber-attacks in 2016. It’s a worrying statistic, but made even more so in light of another in the 2016 State of SMB Cybersecurity that revealed only 14% of SMEs (in the survey) believed that their systems were capable of mitigating the cyber risk. Even more worrying is that the same report revealed 50% of the SMEs had been breached since 2015 and 59% don’t know what passwords or cyber hygiene standards their employees adhere to.
It’s a litany of statistics that points to a concerning trend – the SME isn’t paying attention. What’s even more of a concern is that the US National Cyber Security Alliance found that 60% of small businesses failed after falling prey to a cyber-attack. That’s huge. So is the fact that SMEs are hit by 62% of all cyber-attacks which run to the number of approximately 4000 per day.
The challenge is that most SMES have networks and infrastructure that don’t have any policies or procedures to define communication, data access and storage, and the standard software applications that are being used. This makes them vulnerable, opening up plenty of soft points that make them easy targets for hacking and security breaches. Many SMEs don’t have user education around IT security either, so users have poor passwords and cyber hygiene. It only takes one person to open that ransomware email to infect and impact the entire business.
Business owners need to take responsibility and put measures in place to lower the risk of security breaches. It’s about preventative, not reactive, and this is where the SME needs support. With so many
solutions circling the market, how does the SME know which one suits them? With limited budgets, which one is the one they must implement first? The biggest challenge for SMEs is that they don’t recognise the risk or what happens in a security disaster.
There are a few basic steps that the SME can take to ensure they are reasonably protected. First, if they have a broadband internet connection, ensure the router’s incoming ports are blocked and incoming traffic is prevented. Then, put an anti-virus onto every computer and ensure it remains updated. It sounds like the most basic of solutions, but it’s one that many forget, especially the updates. The same applies to operating systems – the success of WannaCry relied on outdated operating systems that hadn’t received relevant patches or updates. It’s also important that the SME develop a basic internet usage policy that avoids torrent sites, educates users around unknown email attachments, and prevents some of the most common mistakes from being made. SMEs with more than five users should also purchase a basic firewall and internet monitor and control device – these are low cost, but highly effective. Finally, make sure you have a backup in place. If everything has been corrupted or stolen, this will be the data that saves the business. Always ensure you have anti-virus and a firewall and that they are always active, that updates are mandatory and regular (weekly), that nobody downloads free anti-virus solutions or firewalls from the internet as these are usually viruses, and that systems are kept up to date.
Once the systems are in place, the rules defined and the employees educated, the SME has to be savvy enough to recognise the warning signs of a hack. There are numerous accounts of how the hackers sat within systems for months, even years, before they were discovered because it is extremely difficult to detect them. If your firewall and anti-virus suddenly won’t work or have been disabled, sit up and pay attention as it could mean someone else is in your system.
For the SME, the risk of the hack is too great to ignore and the cost of preventative measures too low to reject. While the high-level 24/7 monitoring of the enterprise may not be in the budget, there are options that deliver the right results. As a business owner, stay tuned to the news and be aware of the trends and attacks so you can prepare the employee and the business for whatever’s coming next. And it is coming…