Smaller organisations (SMBs) are increasingly asking us how they can improve their cybersecurity without large budgets, given the growing threats they face in today’s world.
When we talk about ‘smaller organisations’, we’ve been talking to a wide range, from different industries (in particular accountancy and legal firms) to different types, such as charities and schools and are generally talking about organisations with less than 50 employees. This blog looks at the threats that have been increasing and are making smaller organisations more concerned about cyber security and how any small organisation can make significant improvements to their cyber security, without big (or even any) teams or budgets.
The imperative for improved cyber security in SMBs
If you’ve read any cyber security news recently, be that guidance or reports on attacks, you’ll likely have heard of some of the biggest threats. The rise of ‘ransomware’ is one of the most widely talked about at the moment and, in most cases, is the biggest threat for smaller organisations.
Until relatively recently, small organisations (SMBs) were simply not of interest to attackers as they didn’t hold much data of value. However, ransomware, and indeed all types of cyber-attack, have matured in recent years, with different objectives that mean every organisation is a potential target, if an attacker can lock your business down and prevent you working, you’re a target for ransomware. If you are successful and growing with a decent cash balance you are an even more attractive target as you ‘can afford to pay’ in the eyes of the criminals behind these operations.
Let’s quantify some of the risks to small organisations:
- All organisations are now potential targets; 39% of ‘small businesses’ (10-49 employees) and 37% of ‘micro businesses’ (1-9 employees) identified a breach in the last 12 months – this is likely much higher for those that could not identify a breach. Other reports have this number even higher, with Cybersecurity Magazine stating that 61% of SMB’s have reported at least one cyber-attack in the last year.
- The cost of attacks can be significant – the mean cost of an attack to micro and small businesses is £2,600, rising to £8,170 for those with a ‘material outcome’, i.e. a successful breach. This is a significant increase on recent years. It’s worth noting that just paying a ransom isn’t the end of an attack and the costs could increase still. This also doesn’t include the less quantifiable costs of reputational and operational damage.
- The ‘economy’ of cyber criminals is improving, with various ‘as-a-Service’ models become more common – for example, an attacker can pay just $66 for a ‘ransomware kit’, meaning the barriers to entry (skills and resources) are significantly lower than in recent years.
- Small organisations aren’t always a direct target, with supply chain attacks becoming more common as an easier way to reach a huge number of targets, via one weak link (often an IT Managed Service Provider or Software-as-a-Service company).
The most common cyber-attacks in SMBs
There are, of course, myriad threats that small organisations face, luckily there are defences that can cover most of these. The challenge, until recently, has been the affordability of these services.
Ransomware is likely to be the biggest threat that small organisations will face and can directly mitigate against (with supply chain being harder to control, even with good due diligence on suppliers).
The most common ways in which an attacker can ‘unpack’ ransomware are through phishing attacks and ‘external service compromise’:
- Phishing – normally delivered through emails that appear legitimate and ask a user to click a link (and download malware) and/or (re-)login to common tools, such as Office 365, giving the attacker credentials into your network.
- External service compromise – hackers will scour the web (rapidly) for vulnerabilities in software or hardware and for open ports in servers which can give them access into a network.
Other potential threats to SMBs include:
- Business email compromise (BEC) – BEC is where your email is compromised and is used against you, to impersonate key employees, steal information, commit fraud and blackmail.
- Insider threat – with malicious insiders either launching an attack or, more commonly, providing a way in for an attacker – naturally in a smaller business this is less likely due to having less employees, however, it’s still something to be aware of!
- ‘Hacktivists’ – depending on the industry and any perceived politics of products and services provided, ‘Hacktivists’ may want to stop your operations – most commonly this is a basic attack that will involve getting access to the target’s website and changing pages for their political message – whilst not necessarily a big financial burden directly (although in eCommerce businesses, it could be, if not fixed quickly), but the reputational damage could be significant.
Cyber security tips for smaller organisations
Okay, so we’re all suitably scared now. Luckily, a lot of the common threats can be dealt with in a similar manner, meaning you don’t need millions of pounds to protect against all threats. The NCSC offer some good, easy to follow guidance for smaller organisations. Below are some additional simple pointers for cyber security on a budget:
- Don’t rush into buying security technology – this may sound counter-intuitive, but one of the biggest wastes of a security budget is in thinking that technology alone will solve problems – there’s great tech out there, but most of it relies on humans and processes to be effective. Just spotting (and even stopping) an attack isn’t always enough.
- Review your current licensing – all organisations struggle with duplicating technology. Most cloud services come with in-built security tools that do very similar things to some of the more expensive technologies. For example, your Microsoft licensing likely includes tools that provide a good level of protection, eliminating the need for new technology.
- Work towards Cyber Essentials – a great starting point is in the Cyber Essentials and Cyber Essentials+ accreditations. Even if you’re not ready to become certified from day one, looking through the requirements is a great way to build a list of short-term priorities. Even a relatively simple accreditation like Cyber Essentials can be a source of competitive advantage – only 4% of businesses and charities currently hold Cyber Essentials.
- Think 24/7 – cyber attackers are global and operate 24/7/365 – most attacks will happen at 2am on a Saturday, not during working hours and so having a 24/7 operation is critical to stopping attacks.
- Look for a trusted partner – people and processes are critical in stopping cyber-attacks. But for all but the largest banks and government bodies, having an in-house team is out of the question – an entry level Cyber Security Analyst may demand £25,000-£35,000 a year and even an experienced Analyst won’t be able to deal with all of the alerts, threats and attacks on their own. A trusted partner’s service should be significantly cheaper than that and 24/7 with experienced staff. In fact, 59% of small businesses outsource their cyber security services for this very reason.
Our Protective Monitoring services start from just £1,200 / month and get access to a team of experienced cyber security analysts, threat hunting and processes to detect potential cyber-attacks.
To talk about your cyber security concerns, fill out the form below and one of our experts will be in touch.