Lack of cyber security preparedness killing growth
Small and medium-sized enterprises (SMEs) are the backbone of the UK economy. In recent decades, British SMEs have accounted for 99.9% of the business population, totalling 5.8 million. A recent survey by the Wall Street Journal found that small companies are the least prepared for cyber attacks and have the least cyber security.
According to a report by Verizon, so far in 2020, almost a third (28%) of data breaches have involved small businesses, and only 14% of those were adequately prepared to defend themselves.
Hiscox, an insurance carrier, has observed that the average cost of a cyber attack for businesses of all sizes amounts to $200,000, a massive hit for almost any business. Thus, it comes to no surprise that, because of the high cost of cyberattacks, 60% of small companies go out of business within six months of being hacked, according to the National Cyber Security Alliance.
The World Economic Forum notes that cyber attacks, data fraud, as well as the wide and sudden adoption of remote working are found to be the most likely technological risks of COVID-19-forced changes in business operations.
Juta Gurinaviciute, Chief Technology Officer at NordVPN Teams, commentd: ‘’It is frightening to see such important economic drivers lagging behind when it comes to adopting strategies for fighting threats. Today, SMEs can be considered the new big target for attacks, yet cyber crime prevention is often neglected within their environment. With millions of employees working remotely, workers are accessing company data without the safety of a fortified corporate network. This has made them easy targets for hackers and scammers.’’
The NordVPN Teams expert notes that cyber security doesn’t belong exclusively in top-tier companies and can be introduced and adopted by SMEs as well. Here is what SMEs can do to protect their company data:
- Risk assessment: The main assets your company has and the threats it faces should be identified and prioritised.
- Security training: General security policies need to be drawn up and implemented, and staff have to be appropriately trained ad-hoc, whether remotely or in person.
- Devices: Laptops and mobile devices must be secured with strong passwords or biometric identification. Devices should operate on a platform that can be remotely tracked and deactivated in an event of loss, theft, or any other misuse.
- Passwords: Employee passwords should be unique and changed regularly. The use of a password manager is imperative to prevent password leaks while using emails or other critical applications.
- Remote access: Only secure virtual private network (VPN) connectivity should be allowed for remote access. In addition, only whitelisted IP addresses or device IDs should be allowed to access systems, as this will allow access to authorised users only.
- Treat every email with zero trust: Because of the remote work environment, the amount of information exchanged over the internet through virtual conferences and emails has skyrocketed. Establish a process that enables employees to report anything suspicious and share regular updates and information about phishing emails.
- Updates: Keeping everything, including servers, workstations, smartphones, and others up to date is key in cyber hygiene. Applying security updates is part of this process. Ideally, it has to be automated to a certain degree, and the updates can be tested in a testing environment.
- Backups: Having backups is vital prior to installing updates. This will also protect the environment from attacks such as ransomware. Keep the backups offline, test them, and have backup duplicates.
- Endpoint protection: Antivirus software is just one of the many ways to secure network endpoints. Anti-malware, anti-spyware, and firewall software should also be installed to detect and eliminate threats before they become problematic.
- Incident management plan: Having a plan for how to handle incidents will help mitigate loss in the long run. At the very least, staff have to be trained to recognise a data breach and know to whom they should report the breach and when.