As cyberattacks continue to cripple large enterprises, smaller businesses may be forgiven in assuming they are not a bad actor’s number one target. Yet time and time again we’re seeing smaller companies being used as back-door entrances into the networks of larger organisations, says Lawrence Perret-Hall, Director, of cyber services firm CYFOR Secure.
Security within the supply chain now poses one of the biggest threats to businesses, with incidents like the recent attack on NHS IT supplier, Advanced, highlighting just how much disruption can be caused. Or the well-known SolarWinds attack, in which criminals gained access to the data of over 30,000 organisations by hacking their IT resources management system. Or the NotPetya ransomware attack that spread from Ukraine across the rest of the world and wreaking around $10 billion in total damages. The list goes on.
What these events highlight is that regardless of the size of a company, if it works within a chain or network of organisations that provides services to government bodies or large commercial brands, it becomes extremely vulnerable to an attack. While business owners may think their company’s data is relatively worthless to an adversary, ensuring strong cyber hygiene has never been more important for even the smallest of organisations. To do so requires continuous staff awareness training, the implementation of incident response plans and the support of experts in the security field.
Is cyber insurance the answer?
Despite the threat of cyberattacks to SMEs, a recent study found that almost 30 per cent cancelled their cyber insurance policies last year to save on costs. This is hardly surprising given the surging premium prices, which rose in the UK by 92pc in the last quarter of 2021 alone and are expected to continue rising. According to research by Panaseer, 82pc of cyber insurers believe that premium costs will remain on their upward trajectory, making it increasingly difficult for smaller businesses to afford.
Improving cyber hygiene is the first step that SMEs need to take in order to, firstly, protect their networks, and secondly, reduce the cost of insurance premiums. Insurers stated in the same Panaseer report that they need more direct access to customer security metrics and measures to prove the status of security controls. In other words, organisations need to implement and optimise a number of cybersecurity solutions – like threat detection and response, end-point protection tools and staff training initiatives – and demonstrate their effectiveness to insurers to reduce costs.
In fact, prioritising staff education and encouraging consistent security awareness training programmes to ensure employees understand the risk they can pose is likely the best place to start for SMEs. This education need not be a drain on smaller budgets, and instead should focus more on changing the culture of the company to be one that recognises a ‘security-first’ mindset. Investment into phishing simulations, for example, to test and measure awareness across the business will not only highlight where security needs to be improved, but also demonstrate risk levels to insurers. Once these basics are in place, and the foundations of cyber hygiene are achieved, a business will become far easier to insure as their risk is reduced.
Preparing for the worst
While staff training acts as a priority for preventative security processes, an SME also needs to have policies and procedures in place for remediation too. Unfortunately, attacks are no longer an ‘if’, but a ‘when’ in the current threat landscape. Therefore, preparing for the worst is key. For SMEs, business continuity plans and Incident Response (IR) play-books will be invaluable for expediting remediation efforts and getting a business back up and running after a breach.
Part of this planning includes maintaining a suite of small and frequent back-ups that update on a daily basis, alongside full back-ups stored on separate encrypted networks. Keeping these separate back-ups will avoid the issue seen regularly in the case of a ransomware attack, where back-ups themselves become infected because they are stored in the same place as the original data. It’s crucial that if teams restore from local back-ups, they guarantee they are not simply re-infecting their networks with malware when doing so.
However, getting back-up strategies right, developing IR play-books and training staff on cybersecurity best practice is no minor task for smaller teams that are often under-resourced and have a host of other challenges to overcome. Therefore, it is often wise for SMEs to turn to experts in the security field, who have the experience of supporting teams with their cyber hygiene and remediating breaches. Outsourcing security services to a partner can also highlight to insurers that an organisation is taking risk seriously, in turn reducing premium costs.
In an increasingly complex threat landscape, there is unfortunately no ‘silver bullet’ for complete protection. However, by recognising the importance of strong cyber hygiene and working with a security partner to achieve it, SMEs can stay one step ahead of criminals.
