Most small and medium-sized enterprises (SMEs) believe they are not at real risk of cyber attack, a survey has revealed.
Three quarters of SMEs polled by security firm Kaspersky Lab said their business is too small to be of any interest to cyber criminals and 59% said the information they hold is not of interest to cyber criminals.
But the security firm said this is not the case and that, because of lack of awareness, limited security measures and the often overlooked human element, it is becoming easier for cyber criminals to target small, local businesses.
David Emm, senior security researcher from Kaspersky Lab said there are four key principles that SMEs can use to improve their security posture.
These can be remembered using the acronym SAFE, he said, starting with ‘S’ for stepping stone.
“Whether it is a supplier, a partner or a customer, SMEs tend to have links to other, larger companies. With this in mind, cyber criminals increasingly target SMEs to get information that will enable them to access the larger company’s infrastructure,” said Emm.
More on SME security
- SME cloud - blanket security or security blanket?
- Technological risks could undermine SME business confidence
- G-Cloud key to government SME spending target
- McAfee worried that SME security training lacks impact
- SME security managed services added to Alvea
- The SME security challenge
- Symantec warns SME cyber attacks are spiralling
- ISSA proposes SME security standard
“For example, if the SME in question is a widget supplier to a big name, a cyber criminal can sneak into their system if insecure and steal information that will make it easier for them to gain access to the larger company’s infrastructure, putting both them and their associates at risk,” he said.
According to Emm, if cyber criminals access enough smaller businesses, it can give them enough collateral to access a big organisation directly.
The next thing SME’s need to attend to is the awareness of employees about cyber security.
Phishing, spear phishingand watering-hole attacks are often used to trick staff into giving away confidential information, such as passwords and account details, which could help grant a cyber criminal access to the company’s infrastructure.
“This could enable the hacker to steal valuable customer and corporate data, so employees need to know what to be on the lookout for,” said Emm.
Another aspect of awareness is the increasing use of humans as part of the hacking process, he said. For example, if an SME allows a contractor who visits the office each week to connect his USB stick to a company computer, this could be exploited as a way of infecting the network with data-stealing malware.
“In a world where people are eager to help others, something so small can have an overall damaging effect,” said Emm.
Small companies often lack IT support which keep an eye out for potential cyber threats. Larger companies tend to have IT managers, who would keep up to date with relevant security news, making them aware of the potential cyber threats.
“In smaller companies that lack this, it is important for all employees to keep their ear to the ground in terms of recent threats, and to get in third-party vendors and experts to educate their staff so all can keep an eye out for the tell-tale signs,” said Emm.
Forward planning is also an issue SMEs need to be aware of, he said. SME should have a recovery policy in place if they are hacked to ensure the business can get back to a positive, secure and reputable state.
“Make sure all employees know they have a responsibility in terms of the company’s IT security,” said Emm.
Finally, it is vital to ensure all staff are educated on security policies, just as they are on health and safety issues, said Emm.
“This is important in all organisations but in particular, for smaller companies. You need to demystify the issues, explain them in an easy-to-understand manner, use analogies if necessary; create a few simple top tips or do’s and don’ts for staff to follow and place posters including these all over the office,” he said.
But Emm emphasised that this security strategy is not a one-off activity. “It will need to be revisited on a regular basis to keep up with the security landscape and keep security issues front of mind.
“All SME employees need to be responsible for security, especially with the number of personal devices being used for work,” he said.