The SMB cyber delusion: why cyber resilience should be top of the agenda for UK SMBs

John Davis at the SANS Institute shares his insights on how small businesses can keep themselves cyber secure

The mounting challenge of cyber threats for SMBs cannot be underscored enough. Cyber attacks against businesses doubled in 2021 compared to the previous year according to SiteLock. Yet nearly half (48%) of SMB website owners still think they’re not big enough to be troubled by cyber threats.  

In a time when business is tough due to the pandemic, skills shortages, and inflation, businesses cannot afford to be letting money walk out the door as a result of incoming loss from a cyber attack. This is especially true for SMBs, who have fewer resources than large enterprises when it comes to cyber-security.

Naturally, the call to action for many organisations is to invest in cyber-security technology to protect against hackers. But this in itself can initially be quite expensive, and does not guarantee absolute protection if not properly managed.

However, investment in technology is not the only way SMBs can defend against attacks. Another way to shore up cyber-security is by educating employees, which can last much longer than technology implementations that often need an upgrade in the next 6-12 months to keep up with the latest sophisticated threats.

Additionally, education and training can empower your employees to wield tools and technology you may have already invested in, and take charge of cybersecurity in their own hands more efficiently.

How cyber-security training fortifies defence

Cyber-security training allows SMBs to approach their security strategy cost effectively. Employees will have the knowledge they need to spot attempted cyber attacks and ensure they’re using defensive actions when accessing a business’s systems. 

Prevention is at the centre of cyber awareness programmes. According to the Cyber Security Breaches Survey 2022 produced by the UK Government, nearly four in ten (39%) UK businesses identifying a cyber attack over the last 12 months. But only 8% of organisations have set up multi-factor authentication and forced employees to change passwords since their most disruptive breach or attack of the last 12 months, in cases where breaches had material outcomes.

Taking steps towards preventative measures is vital, as it helps stop cyber attacks dead in their tracks.

When it comes to educating staff, and ensuring that the expertise to defend against bad actors is shared within teams, the advantages of cyber-security training are endless. However, knowing how to implement it or where to start can be a challenge for SMBs.

The areas to cover with cyber-security training

Cyber-security is no longer just about technology. It’s also about people. In today’s hybrid work landscape, small businesses must enable employees to help reduce a business’ attack surface for cyber criminals. This can be quickly achieved by implementing a cyber awareness programme which can provide a structured approach to managing human risk.

The first step to developing a cyber awareness programme is to evaluate human risks by analysing the way that employees use business systems. Once businesses understand the mounting ransomware threat and appreciate how employees can threaten cyber security, business leaders can better decide which systems to focus on to improve security and overall cyber resilience.

The second phase is invoking change. Start with basic techniques, including educating employees about phishing, requiring them to use strong passwords, and ensuring regular software patching:

1. Phishing: phishing is where a cyber criminal pretends to be someone else in an email to steal credentials and information from the organisation. SMBs can educate employees on suspicious things to look for in an email. If something looks suspicious, employees should be encouraged to contact the sender through a means other than email such as messaging or the telephone
2. Passwords: while employees must use strong passwords, this is no longer sufficient to protect against modern cyber criminals. SMBs should implement multi-factor authentication. This improves security by combining passwords with another method of user authentication such as one-time passcodes or biometrics. Most major business platforms such as Microsoft 365, Google Workspace and Salesforce offer this free
3. Patching: software updates often address vulnerabilities in software. If software is left unpatched, attackers may exploit these vulnerabilities. Regular patching is a simple yet effective way to improve security

Reaching a point of maturity with cyber-security awareness programmes take a significant amount of time. Cyber-security doesn’t happen overnight, and even when businesses are at a strong level of skilling in this area that doesn’t mean they can rest on their laurels.

The picture is moving all the time, so leaders need to ensure that their employees are clued up on the latest threats and the tools cyber criminals use to gain entry into IT systems.

A lot of SMBs see cyber-security as a cost centre rather than value generator. But keeping on top of it now, by regularly examining online resources and being aware of the dangers, alongside investing in training programmes, means that businesses can save money down the line.

The financial loss, compliance issues and threat of a ransomware attack can cripple business operations, and cause huge BAU challenges in downtime. Investing in training in the short-term is what shores up defence and company health in the long-term.

Keeping data safe and secure starts with people, and this is why knowledge sharing is critically important.

John Davis is Director UK & Ireland at the SANS Institute, EMEA

Main image courtesy of iStockPhoto.com