SMEs and the cyber security challenge

Written by Joe A. J. Beaumont on 19/06/2020

Little fish in a big pond

EasyJet, CapitalOne, British Airways and Marriott are all huge companies with equally large budgets. Another thing they have in common is they all fell victim to a serious data breach, costing them hundreds of millions of pounds. If the major players with a lot of resources to devote to cyber security still get hacked, do SMEs with limited budgets stand a chance? It’s a dramatic question, so let’s explore the answer.

So here’s our first lesson for SMEs: get the basics right, and you’ll find yourself more secure than multi-national corporations

What causes a breach?

Firstly, the four aforementioned breaches were different. CapitalOne was breached via exploiting a misconfigured web application firewall (WAF). British Airways fell victim to card skimming, wherein a few lines of code embedded into a website snatch data as it is sent. Whilst the exact details haven’t been explicitly released, the Marriott breach involved a Remote Access Trojan (RAT) and the presence of Mimikatz, which can give hackers administrative access and dumps passwords from memory. How these got on Marriott’s systems isn’t known, but there’s a good chance it’s down to phishing. As for the latest breach of the four (easyJet), details are still thin on the ground on what actually happened, but that hasn’t stopped them from facing an £18 billion class-action lawsuit.

What causes a breach?

It’s important to know these, because it could be said that these well publicised breaches boil down to ‘best practices’. And, generally speaking, best practices aren’t reliant on expensive hardware or elite teams of cyber defenders – it’s just about getting the basics right. So here’s our first lesson for SMEs: get the basics right, and you’ll find yourself more secure than multi-national corporations. To take the CapitalOne breach as an example, a simple penetration test could have revealed the WAF misconfigurations. And annual penetration tests are one of the bare minimum best practices for cyber security – that’s why they’re mandated by the likes of PCI DSS, ISO 27001 and more.


The cyber security money pit

The fact is that cyber threats to businesses are many and varied. Hackers can compromise an organisation in a number of different ways, from injecting their own scripts, exploiting outdated software or even through simple brute-forcing techniques. And that’s to say nothing of phishing and social engineering. Securing a business network and protecting data in a modern, dynamic environment is no easy task. There’s a lot to consider and a lot that can be overlooked.

This makes the wish list for an organisation’s cyber defences look long and expensive. To secure a business, you ideally need:

Cyber security money pit

Not only can this cost a lot of money, but it will also need a lot of specific expertise as well as take up a lot of staff time. However, things here aren’t as bad as they seem. SMEs have an advantage in their smaller size. That's our second SME lesson: start acting right now. In the case of compliance, getting processes in-place and the right culture embedded now means your compliance (and, hopefully, your security) will grow naturally as your company expands. Cyber Essentials is the best first step to take here.

Likewise, if regular pen testing is always a part of your standard business practices, it’ll never become an obstruction to your growth. Even the high-ticket items such as 24/7 monitoring have options to make them affordable. Whilst the multinational enterprises will be building out their own SOCs, it makes much more sense for SMEs to take a managed option on a monthly retainer fee. All the service, all the expertise, none of the upfront cost.

If regular pen testing is always a part of your standard business practices, it’ll never become an obstruction to your growth

Getting in the hacker mindset

You might think that the four well-known companies mentioned at the beginning are obvious targets. There’s more to be gained from hitting the big players after all, right? So SMEs don’t need to worry because they’re not likely to be of interest to the hacking community, right? Wrong. If you think that you won’t be of interest to hackers, you will get breached, and recovering from that hack may cost more than your turnover – especially if you are hit with regulatory fines (such as GDPR non-compliance).

This brings us to our third lesson for SMEs: understanding that companies are at risk of being breached regardless of size and service. The general rule is, the less time it takes to be hacked, the more profitable it is for a hacker. Opportunistic cyber criminals don’t care who you are, what you do, or how much (or little) data you have – an easy target is an easy target and will always be exploited. In fact, this is the exact scenario that led to the NHS being crippled by WannaCrypt ransomware back in 2017.

Getting in the hacker mindset

Humans are hackable too

It’s often noted by Bulletproof penetration testers that even companies with solid security at the perimeter can be vulnerable internally. This means a compromised account, or a malicious insider, could still do some serious damage. But what if the hacker’s inside agent didn’t know they were helping the hackers? Welcome to social engineering, and it’s one of the most important threats that SMEs need to be aware of.

Hackers are likely to opt for the path of least resistance. And in a lot of cases, this will be your staff. An unwitting member of staff who opens a malware-laden attachment or clicks a malicious link in a phishing email can undo all your security measures. And whilst many phishing emails are easy to spot because of bad spelling and grammar, and strange ‘from’ email addresses, there are other phishing emails that are much more finely crafted and targeted.

Here then is our last lesson for SMEs, and it's simple, cheap and easy: train your staff. Helping them understand the dangers and their responsibility in protecting personal data will help ensure human error is kept to a minimum. Your staff can be your best line of cyber defence, or your worst threat. It’s up to you. Again, SME size and agility can help: in scheduling training, plus with on-line options it’s easier than ever.

Your staff can be your best line of cyber defence, or your worst threat

Don’t treat security as an afterthought

The SME cyber security challenge is real, but so are the solutions. SMEs may think themselves outmanned and outgunned, but not investing in security can cost a lot more when you are hacked. Treating security as an afterthought puts your business in danger. And as this blog has shown, there are quick-wins available for even the smallest organisations. So for the skim readers and those who want a recap, here are Bulletproof’s top tips for SMEs to solve the security challenge:

  • 1. Get the basics right

    Pen test annually, run VA scans monthly, and get Cyber Essentials certification (which is backed by UK Gov).

  • 2. Start acting now

    The longer you wait, the harder it will be to integrate security as a BAU practice. The sooner you act, the easier it will scale as your business grows.

  • 3. Understand you're always a target

    Hackers don’t care who you are, only if you’re an easy target. Don’t make yourself one.

  • 4. Train your staff

    An unwitting staff member can undo all your hard work with a single click. Turn your greatest potential weakness into your greatest strength.

Train your staff



  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.