Five cyber tips for SMEs

security risks

The cyber challenge faced by SMEs is multi-faceted. They are often under-resourced and are particularly affected by a global cyber-skills shortage. Small, or non-existent, security teams are tasked with defending the business from the full range of cyber threats from sophisticated, novel, and targeted campaigns to very fast-moving smash-and-grab attacks while managing an increasingly distributed workforce and complex digital infrastructure.

This complexity can make the task at hand seem overwhelming for SMEs but there are some simple resolutions they can take to boost their cyber resilience.

Accept that we will never be able to stop breaches

First, SMEs need to subscribe to a new philosophy. If the recently exposed widespread vulnerability Log4j taught us anything, it’s that trying to stop 100 per cent of attackers from getting into our systems is futile.

We’ve learned over the last decade is that simply trying to stop attackers from getting onto systems is only effective for low-level attacks. It doesn’t work for the advanced attacks – like those exploiting the Log4J vulnerability – that these businesses now face.

Accepting that attacks will get in is not accepting failure. It is the reality of being mobile, global, and interconnected business. Instead, business leaders must contain attacks quickly and minimise disruption so that the organisation isn’t negatively impacted.

Think beyond detection – it’s no longer enough

Once an attacker has gained a foothold within an organisation, it is vital that the security team continuously monitor abnormal behaviour to detect the breadcrumbs of emerging attacks. But with placing too much emphasis on detection alone does not resolve the problem of hackers moving at speed through a digital estate.

With security teams coming up against increasingly sophisticated attacks, companies need solutions that can detect and respond almost simultaneously. In the midst of a cyberattack, every second counts – and detection alone can’t put a stop to the damage wreaked by hackers.

Create a culture of security

CEOs and C-level executives should be vocal about the importance of cyber security across the business, and all departments should know what their responsibilities are and know that cyber security is relevant to them. The Board should be briefed regularly on cyber-security and security providers should be involved in this process, providing insights into security management, and how the business is responding to cyber threats.

Do more with less

You don’t need every security solution ever created. Often, adding more to the mix just complicates matters further. Staff need to be trained in each of the tools, integration between disparate solutions can be challenging, and resources only stretch so far. Putting the basics in place is a great start, and an additional set of eyes that monitors whether these tools have let anything slip through the gaps can make all the difference in an approach known as ‘multi-layered security’.

Pay attention to the supply chain

Supply chain attacks can be some of the hardest to mitigate, but a few best practices are a must here. These include doing due diligence before providing access to third-party vendors. Where possible, try to minimise the number of third parties connecting into the network to reduce the potential entry points. Assess supplier and vendor security when deciding whether to work with a company. Examine whether they have external certifications that verify they take security seriously.

In 2022’s cyber threat landscape, being breached by hackers is all but inevitable. While there is no shame in hackers gaining access to your digital estate, allowing them to cause long term disruption and damage is unacceptable to many SMEs and fundamentally avoidable. Taking time to examine your business’ cyber-resilience could well save you a lot of trouble down the line.