While large organisations have the budgets and the dedicated IT and security departments to deal with cybercrime, SMEs face much the same threats but with scant resources to deploy. There are, however, strategies which smaller organisations can deploy to take on the big battalions of cybercriminals.
“There are solutions for SMEs,” says Karl McDermott, head of 3Connected Solutions. “This include some very basic things like staff training. Companies should make their people aware of the threats and risks. This will assist with personal discipline when it comes to internet usage. They can also use things like two-step authentication and virtual private networks (VPNs) when working remotely.”
Poor personal discipline is often a serious vulnerability for SMEs, according to McDermott, and this is highlighted by experiments which Three carries out from time to time where the company leaves USB keys lying around in different locations in towns and cities. “A huge amount of them get plugged into devices within hours. A USB key with malware on it can leave an organisation fatally exposed.”
Other basic steps include ensuring anti-virus software and firewalls are up to date. “Resilience is a huge thing as well,” he continues. “You should make sure to have an offline backup of data that can’t be attacked. None of these things cost a lot. They can also avail of advice and assistance from their internet and phone service providers.”
KPMG’s head of cyber, Mike Daughton, points out that while there is no one-size-fits-all solution for SMEs, the starting point is generally the same. “SMEs need to identify their critical data assets. What are their most important data assets that they need to protect? Where are they located and stored? This includes personal data for customers. Once a company has got a good handle on those assets and what they don’t want to lose and need to protect, that’s a good starting point.”
Daughton’s colleague Will O’Brien says that SMEs need to put cybersecurity at the top of their risk list and decide how much they want to invest in it. “The quickest win is people and training,” he says. “There are also lots of supports for SMEs out there. For example, in Cork there is IT@Cork which helps SMEs in areas like this. SMEs should leverage the assistance available from organisations like these. The should get out there networking with other companies. Help is out there and it’s about tapping into it.”
John Bolger, senior manager IT audit and cyber security with BDO, also advises SMEs to look outwards. "SMEs will need to assess their current IT environment exposure in light of current offerings from service providers," he says. "Many businesses are managing their own infrastructure and hardware based on a technology strategy from five to 10 years ago. Even smaller solution providers offer a wide range of hosting, backup services and network management, often in collaboration with major cloud providers. Costs have become more competitive, and these options should be explored by SMEs taking a long-term view regarding management, service, and security. In simple terms, transfer IT service roles to providers who are specialists."
This doesn’t mean the firm can turn its back on the problem, however. “Transferring the service does not mean transferring the risk,” Bolger adds. “There will always be a need for in-house management of the IT service provider, along with education of employees underpinned by formal internal policies and procedures.”
Montgomery believes the cloud can also offer solutions. "There is a big debate around the cloud. Is it more secure than server in the office that has an operating system that mightn't have been patched or updated for some time? There is an argument to say that dedicated cloud is more secure than in-house storage."
He warns that this does not mean cheap cloud and advises SMEs to go for branded offerings with security measures that can be trusted.
Will O'Brien of KPMG agrees. "A lot of SMEs are moving into the cloud. They should make sure they can rely on the IT and cyber controls that the third-party providers have in place. They should ask where their data is being held and how it is being protected and make sure they are comfortable with the security arrangements."