SMEs and the cyber security challenge
Little fish in a big pond
EasyJet, CapitalOne, British Airways and Marriott are all huge companies with equally large budgets. Another thing they have in common is they all fell victim to a serious data breach, costing them hundreds of millions of pounds. If the major players with a lot of resources to devote to cyber security still get hacked, do SMEs with limited budgets stand a chance? It’s a dramatic question, so let’s explore the answer.
What causes a breach?
Firstly, the four aforementioned breaches were different. CapitalOne was breached via exploiting a misconfigured web application firewall (WAF). British Airways fell victim to card skimming, wherein a few lines of code embedded into a website snatch data as it is sent. Whilst the exact details haven’t been explicitly released, the Marriott breach involved a Remote Access Trojan (RAT) and the presence of Mimikatz, which can give hackers administrative access and dumps passwords from memory. How these got on Marriott’s systems isn’t known, but there’s a good chance it’s down to phishing. As for the latest breach of the four (easyJet), details are still thin on the ground on what actually happened, but that hasn’t stopped them from facing an £18 billion class-action lawsuit.
It’s important to know these, because it could be said that these well publicised breaches boil down to ‘best practices’. And, generally speaking, best practices aren’t reliant on expensive hardware or elite teams of cyber defenders – it’s just about getting the basics right. So here’s our first lesson for SMEs: get the basics right, and you’ll find yourself more secure than multi-national corporations. To take the CapitalOne breach as an example, a simple penetration test could have revealed the WAF misconfigurations. And annual penetration tests are one of the bare minimum best practices for cyber security – that’s why they’re mandated by the likes of PCI DSS, ISO 27001 and more.
The cyber security money pit
The fact is that cyber threats to businesses are many and varied. Hackers can compromise an organisation in a number of different ways, from injecting their own scripts, exploiting outdated software or even through simple brute-forcing techniques. And that’s to say nothing of phishing and social engineering. Securing a business network and protecting data in a modern, dynamic environment is no easy task. There’s a lot to consider and a lot that can be overlooked.
This makes the wish list for an organisation’s cyber defences look long and expensive. To secure a business, you ideally need:
Not only can this cost a lot of money, but it will also need a lot of specific expertise as well as take up a lot of staff time. However, things here aren’t as bad as they seem. SMEs have an advantage in their smaller size. That's our second SME lesson: start acting right now. In the case of compliance, getting processes in-place and the right culture embedded now means your compliance (and, hopefully, your security) will grow naturally as your company expands. Cyber Essentials is the best first step to take here.
Likewise, if regular pen testing is always a part of your standard business practices, it’ll never become an obstruction to your growth. Even the high-ticket items such as 24/7 monitoring have options to make them affordable. Whilst the multinational enterprises will be building out their own SOCs, it makes much more sense for SMEs to take a managed option on a monthly retainer fee. All the service, all the expertise, none of the upfront cost.
Getting in the hacker mindset
You might think that the four well-known companies mentioned at the beginning are obvious targets. There’s more to be gained from hitting the big players after all, right? So SMEs don’t need to worry because they’re not likely to be of interest to the hacking community, right? Wrong. If you think that you won’t be of interest to hackers, you will get breached, and recovering from that hack may cost more than your turnover – especially if you are hit with regulatory fines (such as GDPR non-compliance).
This brings us to our third lesson for SMEs: understanding that companies are at risk of being breached regardless of size and service. The general rule is, the less time it takes to be hacked, the more profitable it is for a hacker. Opportunistic cyber criminals don’t care who you are, what you do, or how much (or little) data you have – an easy target is an easy target and will always be exploited. In fact, this is the exact scenario that led to the NHS being crippled by WannaCrypt ransomware back in 2017.
Humans are hackable too
It’s often noted by Bulletproof penetration testers that even companies with solid security at the perimeter can be vulnerable internally. This means a compromised account, or a malicious insider, could still do some serious damage. But what if the hacker’s inside agent didn’t know they were helping the hackers? Welcome to social engineering, and it’s one of the most important threats that SMEs need to be aware of.
Hackers are likely to opt for the path of least resistance. And in a lot of cases, this will be your staff. An unwitting member of staff who opens a malware-laden attachment or clicks a malicious link in a phishing email can undo all your security measures. And whilst many phishing emails are easy to spot because of bad spelling and grammar, and strange ‘from’ email addresses, there are other phishing emails that are much more finely crafted and targeted.
Here then is our last lesson for SMEs, and it's simple, cheap and easy: train your staff. Helping them understand the dangers and their responsibility in protecting personal data will help ensure human error is kept to a minimum. Your staff can be your best line of cyber defence, or your worst threat. It’s up to you. Again, SME size and agility can help: in scheduling training, plus with on-line options it’s easier than ever.
Not sure how to get started?
We’ve developed a suite of best-in-class cyber security tools and free consultancy, all accessible from a single, easy-to-use platform to help you identify your company’s risks and protect your assets. If you’re interested in learning more, get in touch at firstname.lastname@example.org.
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.