The SME cyber challenge
The scale of cyber-crime should not be downplayed. In fact, cyber-crime overtook asset theft as the most commonly perpetrated fraud against UK businesses for the first time ever in 2018, according to findings by PwC.
Such is the endemic nature, sophistication and arguably institutional characteristics of cyber-criminals in today’s markets, that large organisations are being forced to rethink their operating model and invest heavily into industrial defence mechanisms and people power to wade off this all-too-real threat.
A business risk that was historically delegated to IT and technology teams, cyber-crime is now an enterprise-wide issue, and one that is taken seriously at the highest levels across companies in nearly all sectors. Even organisations endowed with plentiful resources have struggled to contain cyber-threats, with a number of financial institutions falling victim to hackers, resulting in them suffering from a significant loss of assets (as was the case with the Central Bank of Bangladesh breach in 2016), DDoS or serious proprietary data leakages.
SMEs and the cyber-challenge
Aside from the obvious financial losses these attacks cause, the reputational damage that follows can be equally agonising. Mitigating cyber-threats is not a straightforward process for large organisations, let-alone smaller businesses, many of whom will not have the capital to invest in large-scale defences or qualified staff. This makes SMEs (small to medium sized enterprises) highly vulnerable to cyber-attacks, particularly as more organisations conduct transactions - such as payments - through online channels.
Analysis by Zurich found 16% of SMEs had suffered a cyber-attack in the 12 months leading up to August 2017, with 21% telling the insurer these breaches had cost them in excess of £10,000, and 11% acknowledging they incurred losses of over £50,0001. Despite the volume of attacks multiplying, the same study found many SMEs are still reluctant to invest in cyberdefences, with 49% stating they would spend less than £1000 on such protections1.
The laissez-faire approach taken by many SMEs towards cyber-security needs to be reassessed. While there is not yet a global, standardised framework governing cyber-security at organisations, localised regulations such as the EU’s General Data Protection Regulation (GDPR) are being imposed, which will hold firms to account should they fail to adequately implement protections to safeguard their businesses against data breaches.
Doing the best with what you have
It is clearly unfair to expect an SME to have a similar standard of cyber-protection to that of a major institution, but through the implementation and adoption of simple hygiene measures, organisations can placate the vast majority of cyber-threats. At the most basic level, this could include regular updating of passwords, given that 81% of all cyber-attacks are a direct result of poor password management practices2. Recurrent training of staff members is also strongly advised, as phishing attacks become more sophisticated.
Banks such as Societe Generale, for example, routinely provide cyber-awareness training sessions to staff, helping employees to better understand the threats businesses face. In addition, SMEs should make sure there is a designated and trained staff member or team with a mandate covering cyber-related matters.
Societe Generale’s CERT (Computer Emergency Response Team) is entrusted with precisely that role and has been for the last decade, working extensively with external bodies such as the French National Information System Security Agency (ANSSI) to contain hostile cyberattacks against our business and consumers. Unfortunately, cyber-incidents are so prevalent nowadays that it is almost inevitable organisations will be attacked. Having robust protections is obviously advantageous but it is also critical to implement business continuity plans (BCPs) in the event of a hack or DDoS, and this process should be regularly tested. Furthermore, firms are recommended to purchase cyber-insurance to cover any losses or repairs following a breach.
SMEs need to give cyber-security due consideration and they must avoid complacency. Engaging with knowledgeable providers, developing effective cyber-protection policies and procedures, educating staff about the threats, and having in place a solid BCP, will put SMEs in good stead to mollify most cyber-threats. The sad reality, however, is that no organisation will ever be completely immune from attack.
1 Zurich Insider (August 1, 2017)
2 Computer Weekly (October 16, 2017)