SMEs must lock their digital doors

Jamie Akhtar at CyberSmart stresses why SMEs should take the cyber threat seriously and what they can do to protect themselves

The hostilities in Ukraine have brought to light a new battleground: hybrid warfare. This sees a fusion of conventional war tactics such as soldiers and tanks on the ground, with cyber attacks on satellites and other critical infrastructure, along with the spread of disinformation.

Such tactics have altered the nature of war in two fundamental ways. On one hand, attribution has become increasingly difficult, as cyber criminals are often leveraged to execute the attacks. In doing so, the aggressor can maintain plausible deniability. What’s more, the impact of this method transcends physical borders.

In fact, the UK’s National Cyber Security Centre has warned that any UK organisations offering services to Ukraine, operating within critical infrastructure or any that “could represent a public relations ‘win’ for Russia, if compromised”, should be wary of cyber risks in their supply chain.

This comes just a week after US President Joe Biden called on private companies and organisations to “lock their digital doors” for fear that Russia might be planning a cyber attack.

Why should SMEs care?

 Speculation circulating around Russia’s plans to cause disruption abroad has achieved little besides causing panic and confusion among bewildered businesses. Small and medium-sized enterprises (SMEs) in particular are at a loss as to how they should protect themselves.

Perhaps even more concerning is that many SMEs believe they are “small fish”, not worth targeting and insignificant in the larger conflict. This belief typically results in a failure to take the necessary precautions.

This is a common misconception among the vast majority of SMEs, which only serves to make them more vulnerable. So, why should SMEs take such cyber threats seriously?

Although SMEs may not necessarily work within critical infrastructure or represent a PR ‘win’, many do function as part of a larger supply chain. Indeed, no business today is entirely self-sufficient.

Whether reliant on a third-party organisation to supply raw materials, transfer goods or manage one’s data, all businesses are now embedded within an intricate web of suppliers and partners. Like dominoes, if one were to fall, all those within the network are affected; making it a highly rewarding endeavour for malicious cyber criminals.

Unfortunately, supply chain attacks are typically set in motion with an attack on the weakest link. Lacking the resources, staff and expertise to defend themselves, SMEs are often that weak link. In other words, an unprotected SME could provide an avenue of attack on larger corporations - the so-called ‘big fish’ - and become collateral damage in the process.

It could even be argued that it’s more important for SMEs to protect themselves than it is for their larger counterparts. SMEs are typically far more sensitive to financial pressures and crises when compared to conglomerates. Even if they temporarily lose access to their data and systems, they could see their business shut down for good. As such, they are inclined to pay the ransom to maintain continuity.

According to a survey conducted by Infrascale in 2020, nearly half of SMEs have fallen victim to a ransomware attack and as many as 73% paid the ransom. Beyond the obvious financial implications, this actively incentivises cyber criminals and perpetuates the cycle of cyber crime. And, as Russia’s economy takes a hit with the imposition of extensive sanctions, rumour has it that ransomware attacks will only ramp up in an attempt to ease the financial strain with pay-outs.

Last but not least, if we have learned anything from the NotPetya attacks in 2017, it’s that a strike can reap widespread havoc. Though initially intended for a specific target, a computer virus can spread uncontrollably, taking down everyone in its wake.

 While we don’t want to get carried away with worst-case scenarios, it is still important that SMEs recognise that no matter how inconsequential they may seem on the political stage, cyber threats do not discriminate. It is always worth taking the time to invest in your cyber-security posture.

What can SMEs do to protect themselves?

 Fortunately, building your cyber defences does not have to be difficult. Most attacks in the past have transpired because of a failure to comply with cyber-security best practices. This means ensuring that employees are practising good password hygiene: utilising long, complex and

unique passwords to access accounts. Equally important is enabling multi-factor authentication. This means that even if a password is breached, the hacker has to pass through further identity checks.

 Another oft-overlooked step is verifying that all devices are updated to the latest versions and all security vulnerabilities are patched. In addition, files and data should be regularly backed up on a separate, offline device, so that systems can be restored in the event of a breach.

There are also a myriad of inexpensive tools such as antivirus software and firewalls that can reinforce your cyber armoury. Then, it is a matter of tackling the human element by offering routine security awareness training to educate staff on the latest threats and how best to deal with them.

Cyber insurance is also a worthwhile investment for both pre- and post-incident support, as many today not only provide risk transfer, but they assist SMEs in adhering to these best practices in the first place.

Ultimately, SMEs must recognise that they play just as important a role in our global battle against cyber threats as the big players. They must take responsibility for their cyber-security for the sake of their survival, as well as for those within their supply chain.

Though the ongoing war in Ukraine continues to create distress for many and has heightened the risk of cyber-attacks, the truth of the matter is that the advice remains the same. Adopt basic cyber hygiene.

If this is still too overwhelming, turn to the experts. There are many third-party cyber-security organisations who are trained to assist in these situations; you just need to ask.

Jamie Akhtar is CEO and co-founder of CyberSmart

Main image courtesy of iStockPhoto.com