How can SMEs bolster their cybersecurity?
By Willaim R. Pardi
April 23, 2021
Cybersecurity isn’t something only large, high-profile corporations that handle large amounts of sensitive data should worry about. From conception, any modern enterprise will need to plan on investing in a multitude of security measures to mitigate a growing array of cybersecurity risks. It must be viewed as more than an expense delayed until the company accumulates enough discretionary funds. The potency and impacts of modern cybersecurity threats are well known such that consumers and investors alike will not feel safe doing business with an organization unless that organization is protected as best as possible.
Despite the ever-growing threat of cyber-attacks, according to the compilation of statistics by FireEye 58% of management within SMEs (Small and Medium Enterprises) don’t believe their organizations are at risk, and two-thirds of SMEs have no data security policy. Additionally, according to statistics compiled in this article by SMESEC, 60% of cyber attacks in 2016 were aimed at SMEs, and 60% of those SMEs did not recover and were forced to shut down within 6 months.
If anything, there is a bias against SMEs with regards to cyber-attacks, which shouldn’t come as a complete surprise. While the rewards may not be as great as a massive enterprise, the potential gain from exploiting an SME is enough to make them viable targets. What’s more, SMEs may not believe they are at risk and therefore not invest as much in security as they should. According to this article by Small Business Trends published in 2019, 29% of small businesses in a particular survey have an annual budget of no more than $1,000 for their IT security programs. Compare this number to the average cost of a single data breach in the US at $8.19 million, not to mention the fallout, as customers and investors lose faith in the breached company’s ability to safely handle their information.
Beyond the budget, what are some other concerns that threaten SMEs’ ability to respond to cyber threats? This article by CPO magazine synthesizes information from a survey conducted by Cynet, which interviewed 200 Chief Information Security Officers (CISOs) from SMEs with security budgets of no more than $2 million. Nearly half of CISOs that were surveyed reported that their staff lacked the skills to protect against all types of attacks, and a similar number reported that threats were outpacing available network security tools, with more than half of the surveyed CISOs believing they were already outmatched. Even though 93% of the surveyed CISOs believe their businesses to be at a higher or as high of a risk of attack as larger enterprises, 57% feel that their ability to protect their organization isn’t as adequate as it should be.
The same survey may also shed light on how security teams within SMEs are handling the shortage of resources. 80% are investing in automated systems to make up for the shortage of manpower, and 61% are consolidating security tools and platforms, though many CISOs also lament the fact it may take four months for staff to become proficient with certain tools. Unfortunately, even with these measures in place, 61% of teams no longer have a permanent member who is designated to chase security alerts.
What can SMEs do to improve their cybersecurity situation?
Increased funding may seem like the obvious answer, but one common trait of SMEs is a fairly reduced budget compared to much larger enterprises, leaving many such organizations unable to invest more than they already are. Regardless, there are still several options that can help bolster their cybersecurity defenses against the myriad of threats that may prey on them.
Some solutions have already been highlighted, such as automation. An example of automation includes Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS), which are connected to the corporate network and constantly scan for malicious activity. Some of these automated systems might simply flag activity and send alerts to personnel, while others will even follow through with a response, such as preventing the transmission of malicious packets through the corporate network. Such systems work in a very similar fashion to anti-virus solutions on a computer, albeit on a much larger scale.
Automated systems can take much of the pressure off of human personnel. However, it is also important to be aware of the drawbacks of these systems. One such drawback is that an automated system must be kept up to date and if left unpatched may be vulnerable to exploits that would render them inert. Systems with out-of-date threat definitions may also not be able to pick up activity from new and improved threats. As a result, these systems can run the risk of sending false positives, meaning they might flag and quarantine legitimate activity on the network as if it was malicious, or false negatives, meaning they fail to flag actual malicious activity.
Automated systems are seeing more use in cybersecurity as a way for security technicians, to gain an edge against attackers. However, automation might never replace the problem-solving abilities of humans and unfortunately for understaffed, budget-conscious security teams within SMEs, problem-solving is the most potent defense when it comes to cybersecurity threats.
SMEs should also enlist help from external organizations to improve their cybersecurity situation. Enlisting help can take many forms, ranging from hiring external security consultants to using third-party software, or even allowing other organizations to take over entire functions within an application or business. External security personnel can certainly remedy certain issues, such as doing a risk assessment, securing the organization’s infrastructure, or dealing with a breach. There’s the benefit of providing expert service for a temporary cost, given that the chosen consulting company is well-reputed. Unfortunately, this assistance is only temporary, and it is often far too expensive to have such companies provide constant network and system monitoring.
Third-party software, such as anti-virus and network monitoring systems, can generally be affordable for SMEs and will be monitored, updated, and patched by an external organization, thereby reducing stress on the SME’s own team. This solution still has its costs, however, and aside from the financial burden may also reduce flexibility to adapt to the organization’s needs.
Certain functions can be completely handed off to an external entity as well. An example of this would be allowing an organization such as humanID to provide the login solution for an SME application. humanID offers both security and convenience, with easy implementation and integration with existing infrastructure. This will transfer the risk from the SME, which may not be adequately prepared to handle security incidents, to humanID, which specializes in effectively providing security with their login solution.
Navigating the murky waters of cybersecurity is a difficult task for any organization, no matter its size or the resources at its disposal. SMEs are at an increased risk due to the necessity to divert funds from security to other functions that help fuel growth, and attackers are well-aware of this. It is clearly time for SMEs to begin searching for cybersecurity solutions outside of increasing budget and overworking security teams. One such solution may be humanID, as they offer a low-risk, high-reward solution tailored to SMEs and large businesses alike. So what are you waiting for?