It probably won’t surprise many people that the threats to SMEs in 2023, look very much the same as the threats in 2022, and in fact, the years before that really. They can be summarised to include ransomware attacks, phishing scams, supply chain vulnerabilities, insider threats and overall inadequate security measures caused by resource constraints. And as if that wasn’t enough, we can top that off with a remaining issue around cyber awareness training, which can produce huge benefits for little cost, and which many SMEs still don’t carry out.

Insider threats have been exposed widely in the press lately with the exposure of data from 2 police forces, the most serious being PSNI, in terms of threats to police officers’ safety, and yet another has exposed confidential information regarding criminal records, court documents etc.  These things are often not because of any criminal activity, but because of lax processes, not widely published, a lack of security awareness, and in general, employees doing things they shouldn’t, because they didn’t know that they shouldn’t.  Not technical issues at all but I’ve no doubt that someone somewhere will take a simple process and complicate it, taking far too long to fix it, and costing a fortune when it could have been done effectively, relatively cheaply.

Revisiting ransomware. it continues to be a clear and present danger to UK companies, both at the Enterprise and SME level.  There remains a pervasive opinion within SME management, that ransomware only affects the big companies, that SMEs are just too small to provide a level of reward that cyber criminals are looking for.  I also said that there was evidence that when an SME gets hit, the amount asked for is quite small, from around £500 to £1000, and therefore many SMEs simply pay up.  There is of course a real danger there because often their data has already been stolen, and sometimes the criminal doesn’t release the data back to the company, leaving the SME not only out of pocket, but unable to continue with business.

Arguably, the biggest and most effective step an SME can take is once again, Cyber Awareness Training for staff.  It is simply a fact that 90% of data breaches are caused by human error.  It is very unlikely that an employee will do something deliberately to damage your business.  But humans are fallible and, if they haven’t had any awareness training, they simply don’t know what they shouldn’t be doing.  Cyber security awareness training remains the most significant step you can take in this regard.  You can’t expect your staff to help you avoid cyber security attacks if they don’t know what they are looking for.  Cyber security is NOT an IT issue, it’s very much a business issue and responsibility lie with everyone in the business.  Clearly this training needs to be part of an overall strategy, which again, need not be complex or onerous.  Most successful strategies follow the KISS principle – Keep It Simple Stupid.

An often forgotten element of Cyber security is within a company’s supply chain.  The threat has been around for a while now but is starting to become much more prevalent targeting suppliers to get to an otherwise well protected company.  Manufacturers for instance, often use what is known as ‘just in time supply’, i.e., they have an electronic connection to their key suppliers who are connected to the company’s inventory, and automatically resupply when an item runs low.  It’s efficient and prevents the holding of unnecessary stock.  But it can, if not done correctly, drive a coach and horses through your security.

The goal of such an attack is to grab whatever you have that is of value to the attacker, so it can include infecting legitimate applications to distribute malware, access your IPR (designs, plans, source code, build processes etc etc), or inventory theft, inserting false invoicing into your system etc.  In fact, if you can think of something that might damage your company, you can bet that the cyber criminals have already thought of it.

Small to medium enterprises are at greatest risk from cyber security threats, and their vulnerability in turn poses a danger to the major corporations that they do business with.  If you are in the supply chain for a major company, then consider how damaging to your reputation it would be, if they were attacked via a hole in your security.  I would be prepared to bet the damage would be so significant, that it could take an SME under.

Phishing, a subject we hear a lot about and which most SMEs do nothing about.  Protecting businesses from phishing and other malware is crucial for maintaining a secure online environment. And that brings us straight back to the subject of Cyber Awareness Training once again. Train your employees to recognize and avoid phishing attempts. Teach them how to identify suspicious emails, links, and attachments. Encourage them to report any suspicious activity promptly.

Of course, that isn’t the only thing that will protect you against Phishing.  But it goes a long way towards it at minimal cost.  Strong passwords, 2 factor authentication, keep your systems updated and patched, ensure that your security architecture is designed to match your risk and that the technical controls in place are appropriate and in the right place.  Have adequate email protection, email filters, spam blockers etc.  Good backups and a solid incident response plan.

There’s a lot there, which brings us finally to the lack of adequate security measures because of resource constraint.  SMEs simply can’t afford cyber security professionals on staff.  They will often rely on their suppliers, local IT providers, to give them the protections they require.  This can be a very real risk, simply because the local IT provider doesn’t employ cyber security professionals either, but rather staff that are skilled in the products that they supply.  A cyber security professional takes a much more holistic view and will spend time marrying the business requirements to the protections required.  Considering the policies and processes required, awareness training requirements, as well as technical controls.  People, Process and Technology, in that order.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]