A panel discussion on the final day of the Infosecurity Europe Virtual Conference was dedicated to cybersecurity in SMEs, and in particular, practical methods these organizations can use to most effectively protect themselves from cyber-attacks.
Bridget Treacy, partner, Hunton Andrews Kurth, who moderated the panel, firstly outlined exactly why it is so important to talk about this topic: “We all tend to assume that cyber-threats are a risk for large organizations,” she said. “Actually, if you look at Verizon’s 2019 Data Breach Investigations Report, you will see that 43% of all cyber-attacks actually target small businesses, and SMEs often have really valuable data.”
The panellists agreed that, fundamentally, the threats faced by SMEs are similar to those of large businesses. They also face the same additional challenges as a result of the COVID-19 crisis. Nick Ioannou, head of IT at Ratcliffe Groves Partnership, said: “It’s more of the same – phishing, ransomware, but its more the focus [that’s changed] because criminals know a lot of people are working from home now…and also the way they are implemented – people get phoned up now; it doesn’t all have to be all over email because everyone is dispersed so it’s a lot harder to double check.”
For SMEs with significantly smaller budgets and internal cybersecurity expertise compared with large businesses, a more considered and targeted approach to counteracting cyber-threats is a necessity, and this is particularly so with regards to investments in security systems.
“Often organizations of all sizes and SMEs in particular hear about a new threat and they look for the technology to go and address that threat without actually giving full consideration to the risk that threat poses to them,” said Maxine Holt, senior research director, cybersecurity at Omdia. “If you look at risk rather than the threat itself, that can really help you improve your organization’s security posture because you’re just going to think about what’s going to affect you particularly.”
Additionally, a lower reliance on tech, and more emphasis on good practices among staff, is especially vital for companies with limited resources, establishing a more preventive approach to cybersecurity. Dai Davis, partner, Percy Crow Davis & Co, said: “Once you’ve identified the risk to your business, it’s a matter of getting the right people processes in place to ensure that you minimize that risk.”
This in no way means technology systems are unimportant; it must be ensured that tech that is implemented does not hinder the productivity and growth of small companies. Jason Maude, chief technology advocate, Starling Bank, explained: “As soon as your technology starts to run your users down too much, they will find ways around it.”
Another topic discussed by the panel was GDPR, and how compliance with the regulations should be approached by SMEs. In Maude’s view, it is something that should be embraced for the long-term benefits it can bring: “It’s encouraging you to be really efficient with your data to make sure that you know what data you have and to use it correctly,” he added.