A study analysing millions of emails across thousands of companies found that on average, employees of small businesses with less than 100 employees experience 350% more social engineering attacks than employees of larger enterprises. 57% of these are phishing attacks – the most prevalent social engineering attack of 2021.
Add to the mix that the global average cost of a data breach for businesses has skyrocketed. According to IBM Security’s annual Cost of a Data Breach Report, the average global cost is now a phenomenal $4.35 million.
Generally, larger corporations tend to have bigger security budgets, making them less of a target than smaller businesses with lesser budgets, and as such, more attractive to cybercriminals. This means that for small and medium-sized enterprises (SMEs) – with fewer resources and money – protection from cyber-attacks is now a matter of survival.
Ease of attack is not the only reason why criminals attack SMEs either. SMEs are often an entry point to target bigger organisations within the same supply chain. These larger corporations can either be crucial partners, suppliers, or customers, making SMEs prime targets.
But with efficient cybersecurity measures, every business regardless of size can keep themselves and their network safe.
Fostering security culture
One of the easiest ways to start to protect a business from bad actors is training but it’s not enough on its own. Organisations need to go beyond training to instil a security mindset that transforms their largest attack surface into a vital defence force.
The hybrid workplace has changed the security landscape of businesses, with ONS reporting that almost half (42%) of employees work mostly from home. This means that many now use their devices, and internet connection at home or via an open network, such as in a coffee shop. Essentially, the cyber-attack surface has increased, creating a prime environment for phishing and ransomware attacks.
SMEs need to ensure employees at all levels across the business are aware of the security measures needed to keep the company safe and secure. A good place for security leaders to start is to use the resources provided by the National Cyber Security Centre (NCSC) to implement phishing and general security awareness training – such as helping employees to keep safe on their own devices or VPN.
This isn’t about a blanket email asking employees to complete training, however. Training must be engaging and tailored to employees’ roles. In fact, a report from Fujitsu – Building a Cyber Smart Culture – found that 74% of non-technical staff say they don’t find their training engaging enough, with 35% saying their training is too technical or boring.
Implementing efficient technology as a business strategy
The Fujitsu report also found that 54% of senior executives are finding it challenging to keep their security policies on pace with the changing threat landscape due to remote and hybrid working – leaving businesses exposed to cyber criminals.
Given this, the answer to the increasing risks cannot rely on appropriate training alone as we all know: no human is infallible. As such, a modern security plan for an organisation should also incorporate technical safeguards and procedures that act as a barrier against cyber threats.
That means SMEs should be looking at implementing a layered technological approach as part of their business strategy. An example of this is Multi-factor Authentication (MFA), which is essential for businesses with employees working from anywhere.
MFA is a key part of Zero Trust – the idea that businesses must assume there will be a breach and as such must constantly verify that a user and their device are authorised to access sensitive data.
This form of authentication is advantageous because if a hacker or unauthorised user can guess or buy a password on the dark web, they’re very unlikely to be able to gain access via an authentication factor. It’s an investment – IBM’s report also found that businesses that don’t deploy Zero Trust on average incur USD 1 million greater breach costs compared to businesses with Zero Trust deployed.
Another way to take the security strategy a step further is to can add another technological layer. By implementing Conditional Access (CA), SMEs can make it even harder to break through the security perimeter. A powerful security technique whereby an organisation can configure and fine-tune access policies with contextual factors such as user, device, location, and real-time risk information to control what a specific user can access, and how and when they have access.
CA is a more robust system that can compare a current login request against past logins to determine if the new login request is authentic. For instance, if a person logs in from London and then logs in from New York an hour later, the conditional logic may establish that this is physically impossible and flag the login as suspicious. Then depending on the rule, the attempt can either be blocked or the user is prompted for an additional authentication challenge before any access is granted.
Everyone has a part to play
The disruptions in the past few years, together with the rising cost of living, will cause a rapid increase in cybercrime. It’s why SMEs can’t afford to pick between a technological layered approach or training to keep the businesses safe. They must protect assets by taking both advanced (technological) and proactive (training) steps, bringing everyone in the business together in a unified security strategy.
This strategy also requires those responsible for cybersecurity to work more closely with other parts of the business to understand their unique difficulties and potential misunderstandings. Because a business, no matter its size, is only able to keep cybercriminals at bay when there’s a collective security stance.
Andy Robertson, Head of Enterprise & Cyber Security, at Fujitsu UK&I.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.