The adoption of mass remote working and rapid infrastructural change has made 2020 a very disruptive year for most SMEs. And while many of the legacy security challenges remain, COVID-19 has brought about some new issues. As we get ready to close the door on 2020, here are the six key security challenges facing SMEs in the year ahead.
Increase In Business Email Compromise Attacks
It has been a profitable year for criminals engaged in Business Email Compromise (BEC) fraud. BEC invoice and payment fraud involves using email to masquerade as a trusted entity and coercing a business into sending payments to fraudulent bank accounts.
Overall BEC attacks increased by 15% between Q2 and Q3 according to a report by Abnormal Security, with invoice and payment fraud increasing by some 81%. Given that the average target payment amount is estimated to be approximately $80,000 per BEC attack, BEC is expected to continue having a substantial impact on the wallets of SME victims heading into 2021.
Rise In Sophisticated Ransomware Attacks
Ransomware, the encryption-based malware, has continued to ravage businesses this year and is projected to continue increasing into 2021. Ransomware remains a particular issue for smaller companies versus their larger counterparts as 55% of attacks take place against companies with fewer than 100 employees according to Coveware.
Small businesses are also more likely to pay a ransom to have their data unencrypted than larger businesses, likely due to the improper backing up of business-critical data. However, Ransomware 2.0 as some have coined it, has made the solution of backing up data useless as Ransomware 2.0 doesn’t just encrypt the data but threatens to publish this data publicly if the ransom isn’t paid. It remains to be seen whether the rise of Ransomware 2.0 attacks will cause a shift in the number of businesses willing to pay up, but this form of attack, and defending against it, should be a key consideration for all SMEs.
Lack of Dedicated Resources
COVID-19 has put a squeeze on the budgets of many businesses, however, a report by Kaspersky highlights that the percentage of the average SME’s IT budget spent on security has actually increased by a modest 3% since 2019. And yet this may not be enough, as the cyber security skills gap continues to drive up the demand and paychecks of skilled security professionals.
Many SMEs just don’t have the budget to hire staff for dedicated security roles. According to a report by Sharp, 36% of SMEs have no full-time cyber security employees. This still leaves smaller businesses at a disadvantage and a ripe target for cyber criminals, who are well aware of the shortcomings SMEs typically face.
Device Administration Shortcomings
The rise of bring your own device (BYOD) and indeed the in some cases forced migration to personal devices for remote workers has caused chaos for device administration. Many SMEs have opted for cloud-based endpoint management solutions to fill the void; however, endpoint management systems have their limitations when remotely administering devices with different operating systems.
Remote working has also removed office-based staff from the protection afforded to them by their business network and forced them to rely on the basic security controls of their home office network. Many members of staff won’t have the advanced firewall and web proxy features that safeguard their devices in an office environment and will be more susceptible to external threats. As we head into 2021, we’re likely to see that many SMEs have not yet adopted an effective remote administration strategy.
Inadequate Staff Training and Awareness
Staff are often an SMEs greatest asset, but they can also be the weakest link in a business’s defences. Promoting security training and awareness continues to be a challenge for SMEs with only 34% reporting that they provide data safety and best practices training in a survey conducted by The Manifest.
This isn’t surprising since SME’s have long faced issues implementing effective security training. The shift to remote working has further highlighted the dire need for SMEs to educate staff in secure home-working practices, after all, the majority of successful attacks are by means of social engineering. We will likely see SMEs continue to fall short in providing adequate security training resources for staff in 2021 and beyond.
Absent Information Management Framework
The introduction of GDPR back in 2018 has issued in an era of greater data awareness. However, a report published by the EU Commission in July, stated that “application of the GDPR is challenging especially for small and medium sized enterprises.” For many smaller businesses the ISO 27001 standard of information management and security, largely seen as a gold standard, remains out of reach.
Big issues faced by SMEs when implementing an information management framework include trying to effectively track information assets and maintaining visibility over staff access levels. A number of alternative schemes have been designed to try and help SMEs improve their information management practices, such as the IASME Governance scheme in the UK. In spite of this information management and security will continue to be a challenge faced by many SMEs as we head into 2021.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.