What SMEs need to do to protect from cyber threat

Digital acceleration is too modest a term for the impact the pandemic has had on business activities this year. A digital explosion is more apt.

Whether it is restaurants turning to click-and-collect platforms, bricks and mortar stores migrating fully online, or SMEs ordering staff to work remotely, commercial success depends on online activity in volumes that would have been unimaginable in February.

The result is a bonanza for cyber criminals. They were already doing well. According to a report from business insurer Hiscox, looking at a period up until February of this year – prior to the pandemic – cyber losses among businesses had already risen nearly six-fold globally from a median of €8,900 per firm to €50,732.

Of the companies it surveyed in Ireland, 41 per cent reported having at least one cyber “event” in the previous six months. The total cost of these cyber incidents and breaches amounted to €9 million.

More worrying still, almost one in five (18 per cent) of businesses surveyed globally didn’t know if they had had a cyber attack.

Since February the rush to go digital, without adequate thought to security, has likely exacerbated the problem.

“I know from my own contacts that web developers are ‘out the door’ busy building websites. Where you are seeing businesses that wouldn’t have had an online presence before, all of a sudden doing it, that’s a big challenge from a cybersecurity perspective,” says Justin Moran, head of governance and head of security at mobile phone company Three.

He says within the EU, 60 per cent of cybercrime is aimed at SMEs. That’s a big risk for Ireland given that the vast majority of all businesses here are small ones. Cybersecurity industry research suggests that very many small companies go out of business within six months of falling victim to a cyber attack or data breach.

The fact that more and more people interact with businesses via mobile devices is exposing them to additional threats and challenges, says Moran.

Threats include not just the risk of data breaches and reputational damage, but the potentially swinging fines enforceable under general data protection regulations.

Ransomware or distributed denial of service (DDOS) attacks whereby cyber criminals take control of your computer to slow or shut it down is also leading to significant business damage.

The current tumult provides enormous opportunity for criminal activity based on “social engineering”, such as invoice or CEO fraud.

Effective

These "phishing" scams see criminals send out false invoices or requests re changed bank accounts in the hope that employees still getting to grips with the "new normal" will be more amenable to them.
It sounds ludicrous, but it works.

“These are done at high volume and can be extremely effective because they use psychology to play on people’s fears. They’ll make the email look very authentic, and then, for example, put a tight deadline on the request,” says Moran.

It can include contacting business owners with “smishing” or mobile text requesting them to click a link in order to pay an outstanding postage for a parcel delivery, for example.

Long before the pandemic was announced cybersecurity was a growing sector globally.

“Even prior to Covid cyber- security as a sector was predicted to grow by 10 per cent this year,” says Aoife O’Leary, Enterprise Ireland vice-president of digital technologies, based in San Francisco.

What this year’s wholesale move to selling and working online has done is put the topic on the radar for many firms in a more strategic way, according to her colleague John Durcan, senior technologist with Enterprise Ireland. “Before that it was always ‘someone in IT will sort it’, or ‘I’ll outsource it’,” he says.

The current environment holds significant risk for businesses. “In the rush to online shopping, and to putting businesses online for the first time, businesses can overlook the regulatory side in relation to payments and the security of data, for example,” he says.

There are ways to reduce that risk.

“If you opt for a trusted platform, such as Amazon Marketplace or Facebook, that mitigates the risk. It’s important that SMEs don’t feel they have the reinvent the wheel. However, they do still need to think about cybersecurity in a new way, and staff training is a really good place to start. Your first line of defence is your people, so pick good training material and use it,” says Durcan.

Dublin company Cyber Risk Aware offers a behaviours-driven security platform that delivers cybersecurity training in real time, including phishing and smishing simulations, training content and risk and compliance reporting.

Irish companies Intuition and integrated risk management platform Vigitrust have also developed effective tools for SMEs.

Don’t assume that just because you are using cloud-based services that you are automatically safer by default, cautions Dani Michaux, KPMG’s head of cybersecurity.

Decisions

“Companies are pivoting and trying to use the tools to enable business, as they should be, but they are rarely thinking about the risks involved in doing that and some are rushing their decisions,” says Michaux.

Many, she fears, are failing to ask the right questions both of themselves and of their security providers.

These are, “what are the risks we are putting ourselves at in doing this, and, if we put that on the cloud, what are the security implications?” she asks.

It is really important for SME leaders to be cyber aware, she points out, because smaller businesses are least likely to have IT skills in house.

She says now, after the first wave of the pandemic has passed and the great migration online executed, is the time to “take a step back and reassess” what has happened.

“Ask yourself, have I overlooked something? What are my exposures, my regulatory exposures, and the key risks?

“If you don’t ask the questions it’s like rushing out of one house and not asking for the keys for the other because you just want to get inside.”