The COVID-19 pandemic has fast tracked the rate of digitisation around the world and forced businesses such as small- and medium-sized enterprises (SMEs) to make quick and drastic changes. These include the adoption of cloud services, upgrading internet services, revamping websites and enabling staff to work remotely. This paradigm shift has brought about an environment where cybercriminals and threat actors pose a significant threat to the internal security of the European Union and its citizens. According to the World Economic Forum's Global Risks Report 2021, cybersecurity failure is perceived as the fourth most likely risk of becoming a critical global threat in the short term.
“Small- and medium-sized enterprises (SMEs) are the backbone of the EU's economy. They represent 99% of all businesses in the EU and employ around 100 million people. They also account for more than half of Europe’s GDP and play a key role in adding value in all sectors of the EU economy.”
A common misconception is that cyberattacks only occur against large organisations as they are the ones that have items that are of more interest to criminals, such as large amounts of financial details belonging to customers or sensitive and valuable intellectual property. Contrary to this belief, all organisations can be similarly attacked no matter their size, especially SMEs as they offer a higher risk-to-reward ratio. Many SMEs also provide services to larger organisations and they can therefore provide an opportunity and a path for criminals to attack those larger organisations through those larger organisations through a supply chain compromise.
Criminals are also targeting SMEs in particular as they are aware many have had a hard time ensuring adequate cybersecurity defences during their rapid transition to remote working and deployment of the IT systems required to keep their businesses afloat. SMEs have become more reliant on digital technology, however, in contrast to larger businesses, SMEs are not able to procure and implement sophisticated cybersecurity solutions and expertise. This is exposing them to significant digital security risks and leading to a higher probability of becoming the victim of a cyberattack.
A recent study was carried out by the European Union Agency for Cybersecurity (ENISA), where 249 SMEs from 25 EU Member States, including Malta, shared their feedback on their state of digital security and preparedness for crises such as COVID-19 among other cyber-related issues. This study has identified several cybersecurity challenges unique to SMEs as brought upon by the cyber landscape. ENISA goes on to recommend measures which specifically cater for SMEs in particular.
The following are the major cyber security challenges faced by SMEs as identified by the ENISA study:
Many SME staff have little to no cybersecurity awareness. It is often assumed that cybersecurity threats only concern IT people, leading to a general naivete around the risks and effects of a cyber attack. In fact, many social engineering attacks, such as email phishing, capitalise on this lack of awareness and thus prove to be an excellent vector of initial compromise.
SMEs typically lack fundamental security policies, practices and, sometimes, the basic set of security measures, such as a sound backup procedure or up-to-date endpoint anti-malware solutions implemented on all devices. Constrained budgets and internal resources mean that SMEs often utilise obsolete or just unpatched software which are vulnerable to many widely available public exploits. These are just a small subset of issues that contribute to jeopardising the protection of an SME’s critical and sensitive information.
The lack of budget has always been an IT issue within SMEs - this has however been exasperated by the effects of the COVID-19 pandemic on businesses. Implementation costs of dedicated cybersecurity solutions is a major challenge for SMEs and it is evident that most view cybersecurity as a cost rather than as an investment in their business. Furthermore, due to their size, many SMEs often do not qualify for special offers and have to deal with fixed cybersecurity SLA contract clauses, unable to reach the SLA flexibility dedicated to large organisations.
The nature of their size and operations often mean that SME are not able to afford or justify the hiring of a full-time security specialist. Such a function is often taken on by the internal IT function, who in turn often becomes stretched due to the ever increasing items which, as a byproduct of digitisation, fall under the IT remit. Besides, typical IT specialists do not have the cyber competencies and experience required for the job.
SMEs often feel that existing guidelines either provide generic information, or address larger organisations with an existing cybersecurity framework where more specialisation is possible.While several EU bodies and Member States have issued guidelines in relation to cybersecurity, there is a general lack of awareness on their availability, while some of them are outdated or too theoretical with insufficient practical guidelines to follow.
In the rush to get online and enable their businesses to survive, many SMEs were not able to invest the time and money required to ensure their online services are secure. Many best practice security configurations are not configured by default and the lack of monitoring capabilities often mean that SME IT teams have very little visibility into the use, alteration and implementation of additional IT resources by other departments and/or staff. Such alterations and implementations are typically not vetted from a security perspective and could expose the SME to security risks which the IT team cannot identify and mitigate.
While in larger organisations senior management can rely on their own cybersecurity experts or bring that expertise into the organisation using consultants, many SMEs do not have this luxury. Senior management within an SME often rely on their own knowledge of issues or what they learn from their peer networks. Furthermore, upper management is often solely concerned with ensuring that the business is performing well from a financial perspective and might not fully understand or appreciate cyber risks. IT personnel within SMEs often find it difficult to obtain upper management buy-in or support when it comes to investing in and improving on the cybersecurity posture.
In response to the above challenges ENISA has developed 12 overarching cybersecurity recommendations for SMEs to secure their business:
SMEs should assign management the responsibility of promoting cybersecurity appropriate awareness and its importance to all levels of personnel. Management is encouraged to understand the risks surrounding cybersecurity and invest in resources such as IT staff, purchasing of cybersecurity solutions, services and hardware, providing training and awareness to staff, and the development of effective policies and procedures related to cybersecurity.
It is very important that SMEs provide regular cybersecurity awareness training for all employees to ensure they can recognise and deal with the various cybersecurity threats. An aware workforce can be the strongest link and best line of defence against most cybersecurity attacks, especially those heavily targeting the human element.
SME should ensure that all vendors, particularly those with access to sensitive data and/or systems, are actively managed and guarantee the agreed levels of security. SMEs should also understand the extent of their cybersecurity responsibility and remit when it comes to these third-party solutions.
A formal incident response plan should contain clear guidelines, roles and responsibilities, and checklists to ensure that all security incidents are responded to in a timely, professional and appropriate manner. Such a document does not need to be overly complex, but suitable to the size of the organisation.
SMEs should ensure a password policy is implemented to encourage users to create strong passwords and ensure proper handling. Weak and/or re-used passwords continue to be a highly relevant security issue even in 2021. Enforcing the use of multi-factor authentication (MFA) is also key in protecting against common cyber attacks targeting SMEs.
Quick tips to keep your devices secure include keeping software patched and up to date; implementing anti-virus software; making use of email and web protection tools; using encryption to protect critical and sensitive data and implementing mobile device management to ensure security control on devices.
Employ firewalls - when properly configured these are highly effective at blocking unwanted traffic. Furthermore, modern firewalls contain many additional security features such as intrusion prevention/detection and data loss prevention systems. Regularly review remote access solutions to ensure they are configured securely and that sensitive data is not being exposed. Special attention must be given to external users' access rights.
Appropriate physical controls should be employed and a physical security policy implemented to ensure safety of physical devices and the organisation’s office space. Securing the digital space is useless if attackers can easily get access to your information assets.
To enable the recovery of key information in case of a ransomware infection backups should be properly maintained and regularly tested. A business should know how much information it is able to recover and how long such a process will take. A simple backup policy and associated procedures are vital for ensuring business continuity in the current threat landscape.
When selecting a cloud provider, SMEs should ensure that the provider does not breach any laws or regulations by storing data, especially personal data, outside of the EU/EEA. Furthermore, cloud providers often only provide the cloud infrastructure (IaaS) and it is up to SMEs to ensure the security of the new cloud environment.
Online websites and web applications have become a critical part of modern day business. These should be configured and maintained by running regular audits and security tests to identify any potential security weaknesses before attackers do. Third-party security firms are ideally consulted since web assessments require a specialised set of cybersecurity skills.
The sharing of information in relation to cybercrime is key. This will allow SMEs to better understand the risks they face as they learn from the past mistakes of others and thus aid in improving the overall security posture of the SME community.