The cyber-security blind spot faced by SMEs

Justin Jon Thorne at Hydra argues that the prevention of cyber-breaches is possible, if not completely fail-safe: this should be the primary focus for all SMEs

 

Cyber-security has become of increasing importance for SMEs over the last 20 years. Cyber-crime has risen dramatically despite greater awareness and more attempts to mitigate it. In 2023, 1,351 cyber-attacks occurred, resulting in more than 2.2 million breached records and significant reputational damage.

 

While some attacks seemed to be opportunistic, others were targeted, and with cyber-criminals and their tools growing in sophistication, the threat is becoming more pressing.

 

For SMEs, this brings multiple difficulties. Not simply the need for the knowledge, tools, and budget to put the latest security measures in place, but the very basic ability to stay up to date with all the potential threats.  

 

Cyber-security threats to SMEs

There are some very well-known cyber-risks. Associated with some of the most high-profile cyber-security attacks, spoofing, insider threats, and code injection have all garnered a lot of media attention, while phishing, malware, and ransomware are so commonly used that most internet users have become conversant with the format and threat.

 

But sometimes, risks come from the less obvious places. With the advent of the home and hybrid working movement, an increasing number of SMEs are suffering from the results of employees using unsecured networks. Businesses with bring-your-own-device (BYOD) policies are also experiencing similar issues. The inability to fully monitor and manage third-party legacy access to external SaaS platforms is a problem that is often completely overlooked. 

 

While most SMEs have complete control over their integral internal systems, legacy access to SaaS, social media, and other third-party platforms is much harder to control. This is particularly true as many of these platforms require business accounts to be accessed via each individual’s personal account rather than through a password vault. In 2023, 86% of web application attacks arose from compromised login details and poor password protection.

 

This gives rise to real concerns, even before we look at incidents of cyber-crime resulting from embittered ex-employees. As we all saw last year, when a fired Twitter employee released the platform’s source code, these things happen and can cause catastrophic damage to a business. 

 

The risks associated with legacy access

Whether it’s marketing, social media, IT management, customer service, or administrative tasks, most contemporary businesses outsource something. And in many cases, that means granting access permissions to third parties, including access to platforms that sit outside of a brand’s firewall and protected internal infrastructure.

 

However, once access has been granted, it can be challenging to monitor it or rescind it. So, when an employee leaves a business or an agency account is closed, even if you remember to withdraw access to all of the SaaS, advertising, and social media platforms they had permission to use, it’s not always easy to implement, for example if logon credentials are unknown. And this means exposure to risk.

 

If you work – or have worked – in an agency, you will inevitably know someone who brags about still having access to this or that high-profile social media account despite not working with the brand for several years. It’s a common scenario; nine times out of ten, nothing bad stems from it.

 

But when an employee leaves a business under a cloud, that access can become weaponised. Your accounts can be sabotaged or hijacked, preventing genuine users from accessing and modulating the content. Reputational damage is straightforward to perpetrate, with only a few off-colour posts.

Burger King became notorious in 2021, not for its food but because of the derogatory language directed at French customers by an aggrieved social media account manager.

 

Espionage and data theft is simple when you can access customer or follower details and scheduled content. And the misappropriation of funds is easy for anyone with access to ad accounts: if you regularly deposit large advertising budgets into your ad accounts, you should be aware that they can be drained in minutes. 

 

Protecting SMEs against cyber-threats

Although cyber-criminals are getting smarter, cyber-security is getting better, too. With the right strategies in place, SMEs should be able to decrease their threat level.

 

Team training – Employee mistakes account for 88% of data breach incidents, most of them unintentional. Training your team members on how to minimise threats, recognise potential threats, and act when a threat is detected can play a big part in reducing the risk and damage of cyber-attacks. 

 

Secure networks – Network security – firewalls, intrusion detection systems, encryption, access controls, and multi-factor user authentication – are the primary ways businesses can deny access to cyber-criminals. But this must be carried across to all entry points, including homeworking and BYOD. 

 

Multi-factor authentication – As mentioned above, multi-factor authentication is integral to cyber-security, limiting the risk linked to password theft and loss. The problem with this is that it often isn’t possible with third-party platforms. 

 

Controlled access permissions – Third-party platform access permissions are often overlooked because they are difficult to manage, and many businesses have lots of them. Working with a platform that can provide a single point of access to users while allowing business managers to monitor all permissions can simplify that process for all concerned, at the same time as enhancing security protocols. 

 

Cyber-security is an ongoing concern for businesses of all kinds and sizes, and it’s a threat that is unlikely to go away anytime soon. This raises questions of protection and mitigation and the difficult subject of accountability.

 

However, with the right practices, prevention is possible, if not completely fail-safe. And that has to be the primary focus for all SMEs. 

 

---

 

Justin Jon Thorne is co-founder of Hydra, an innovative SaaS platform providing agencies, brands and digital teams effortless monitoring and management of access to external channels

 

Main image courtesy of iStockPhoto.com and Thapana Onphalai