Small and Medium Businesses (SMBs) are not immune to cyber-attacks, in fact they’re often deliberately targeted by hackers as they regularly fail to prioritise or invest in cyber security and are viewed as an easy target.
The UK National Cyber Security Centre reports that if you’re an SMB, then there’s around a 1 in 2 chance that you’ll experience a cyber security breach. In recent surveys SMBs state that lack of cyber security personnel (74%) and lack of budget (55%) remain the biggest challenges to improving cyber security. These two key challenges can be addressed by focusing on the following areas:
Security Leadership and Resources
The majority of SMBs are aware that cyber security is a critical focus area, although 74% of SMBs do not have sufficient in-house expertise to deal with security issues and keep up with the ever-changing cyber security threat landscape. It can be a struggle to recruit dedicated cyber security resources and expertise due to the high cost and scarcity of good candidates and a dedicated permanent cyber security resource may be overkill for what is actually needed.
A number of businesses have overcome this problem by using a third party Virtual Chief Information Security Officer (vCISO) service. This on-demand security leader operates as an integrated member of the team to provide cyber security leadership and support, define the security roadmap, drive key security initiatives forwards and help manage security incidents. This is achieved via a combination of scheduled and flexible time tailored to the organisations requirements, delivered over a few days a month or on a more regular basis. Importantly, the organisation only pays for the time and effort required.
This outsourced vCISO can help SMBs rapidly improve their cyber security posture including identifying the key cyber issues and risks that could impact on their business, implementing cost effective cyber security controls and effectively dealing with cyber security incidents should they occur.
Employee Education and Awareness
Many organisations are over-confident in their investment in traditional IT security controls and overlook the contribution their employees could make in improving the security of the organisation. IBM reports that 95% of cyber-attacks involve human error and yet 7 out of 10 businesses do not invest in cyber security awareness training. Phishing attacks remain the most common and successful method used by hackers against SMBs.
Expecting employees to have cyber security knowledge and the ability to keep up with a rapidly evolving cyber security threat landscape is both unfair and unrealistic. Providing employees with the knowledge and understanding of the cyber threats that they are frequently exposed to including phishing, ransomware, malware, social engineering and accessing insecure networks will help them become a security asset and the first line of defence against cyber security attacks.
However, getting this right involves changing the culture and behaviours within the organisation, not just increasing awareness. The best way to achieve this is through implementing an Information Security Education Awareness and Training programme. This should include phishing simulations and tailored online training and awareness campaigns that reflect the cyber threat landscape in which the business operates. The programme should be delivered in a continuous manner with the right level of detail to reduce any impact on the day job.
This programme will provide employees with a heightened understanding of cyber security threats and empower them with the knowledge of how to spot, avoid and report them, reducing exposure to cyber security attacks and breaches.
The impact of a successful cyber-attack on an SMB business can be devastating in terms of cost, business downtime and disruption, reputational damage, and loss of confidence in the business from customers, partners and suppliers. Some SMBs, due to the nature of their business, may also be exposed to potential legal and regulatory censure.
Deploying cost-effective cyber security resources and educating staff can help SMBs reduce cyber risk and exposure to cyber-attack.