It can happen to you: How SMEs should protect themselves from cyber security attacks
By Stefan van de Giessen, General Manager: Cybersecurity at Networks Unlimited Africa
Small and medium enterprises (SMEs) are widely acknowledged as playing a critical role in South Africa’s economy, and yet they are also potentially more at risk in terms of their ongoing survival than larger enterprises. According to a recent McKinsey report , SMEs in South Africa employ between 50% and 60% of the country’s workforce across all sectors. At the same time, SMEs arguably face a number of challenges, which can potentially weigh on them more heavily than on larger enterprises.
These particular areas of concern include attracting customers; maintaining profitability; increasing revenue; facing greater uncertainty during economic downturns; and securing financing for expansion . Now add in the issues around technology enablement and security, and it can all start looking a little bleak.
It can happen to you
Small businesses can actually be significant targets for cyber attackers, because a weaker security posture makes them more vulnerable to hackers – they can be seen as ‘easy pickings’. If an SME lacks the time and money to sort out its security properly, we frequently find situations in which the business owner/manager tries to buy the cheapest product off the shelf, then installs it and hopes that it works optimally.
SME owners and managers are also often under the illusion that ‘it won’t happen to me’ and that cyber criminals are only after the big guys. This, however, is not necessarily a true reflection, because it is often easier for hackers to get into the systems of a smaller business.
A hacker will frequently use a phishing e-mail to infiltrate the SME’s network – it’s all done via targeted spear phishing e-mails. We also know that hackers may have it easier with the smaller organisations – employees are more likely to click on the e-mails, as they are less educated about phishing threats than employees in the larger corporations, where the tools and education around the dangers of phishing attacks are generally in place.
Having infiltrated the network with a phishing e-mail, the hacker then follows this up with a ransomware attack, targeting data which is an organisation’s lifeblood. A smaller and unprotected or less protected SME is more likely to give in to the ransom demand. In contrast, larger corporations generally have the ability to rollback to a pre-attack situation and are able to continue functioning, even during such a ransomware situation.
Go to the experts…
Our advice, therefore, is that SMEs should make use of outsourced security services. However, we know that due to costs, which are already exacerbated in a difficult economy, businesses of all sizes are struggling and sometimes the wrong costs are being cut in the quest for survival. But in the event of a network breach, a lack of adequate security posture could actually see a small business go under. In contrast, if a larger firm gets hit by a cyber security attack, they generally have the capital and resources to fix the problem and stay alive.
During the COVID-19 pandemic period, one area of cyber security that has come to the fore is the protection of devices at the edge of the network. With so many more people now working from home rather than at the office, they are operating outside the edge of the company network, and their cyber security is not necessarily being managed by third-party security. We’ve therefore seen an increase in targeted attacks, and the risks have increased substantially.
Endpoint protection is an important part of edge protection. It is imperative to ensure that outdated software on every machine within the business receives notifications to be patched, so the vulnerability does not lie with any device.
Additionally, in order to protect your employees’ laptops in a work-anywhere environment, you will need an endpoint detection and response (EDR) system, which increases your visibility into your endpoint and, in turn, allows for a faster response time. EDR tools protect your organisation from advanced forms of malware.
Getting the fundamentals right from the very beginning should be sufficient to protect you most of the time – although, of course, a new threat will obviously need new technology to cover users. In the event of a ransomware attack, it may well be too late to assist if the SME doesn’t have appropriate backups. Best advice, therefore, is to be proactive and not reactive, and call in the experts before it’s too late.
A note on the POPI Act
In June 2020, the President issued a Proclamation regarding the commencement of certain sections of the Protection of Personal Information Act (POPI), which aims to protect consumers by keeping their personal data private. These sections will take effect on or before 1 July 2021, meaning that all businesses must be compliant by this date.
The POPI Act will enable businesses to regulate how information is organised, stored, secured and discarded. Companies therefore have a remaining eight months in which to implement all initiatives necessary for compliance to the Act. From 1 July next year, a data breach could mean that your business could be subject to a heavy fine.
Any business, whether large corporate or SME, will therefore need to invest in certain sets of security to be compliant to the Act. From an SME’s perspective, this could potentially cause your cost of doing business to increase and perhaps make your business slightly less profitable, but it will at least reduce the risk of your business facing a crippling fine because of non-compliance.
Private information is valuable, and smaller businesses don’t necessarily have systems in place for the protection of the data that they hold. The lesson here is that an SME, just like the bigger enterprises, must sort out its compliance one way or another.
Our best practice advice for cyber security for SMEs is as follows:
- Start with the fundamentals and get the basics right. Don’t over-complicate matters, but also don’t take the cheapest option, which is not necessarily the best;
- As more employees continue to work from home as well as the office, ensure that you have a next generation, up-to-date anti-virus software connected to your corporate firewall for endpoint protection;
- Pay attention to the realities of the POPI Act; and
- Speak to the experts.
If you are not able to manage this necessary cyber security activity internally, we urge you to reach out instead to a managed security service provider (MSSP) partner, who can offer you protection based on a consumption model that could suit your cash flow requirements.
This will assist you to protect your business and your customers, as well as save you from the not-to-be contemplated prospect of a heavy POPI-related fine in the event of a data breach.