Several months on from when WHO first declared COVID-19 a global health pandemic, remote working is now a normalized model for employees.
Throughout the ongoing crisis, technology service providers (TSPs) have played a critical role in enabling the connectivity and infrastructure that organizations needed to maintain their day-to-day operations. That includes securing the remote workforce and protecting the extended enterprise perimeter.
While larger enterprises may have in-house IT teams that are responsible for adapting cyber risk management strategies to cope with the impact of undertaking a massive shift to remote services, many SMBs are ill-prepared to combat the rising online threat landscape.
For TSPs, providing this important cohort of clients with best practice guidance and know-how will prove a mission-critical value-add service that many won’t realize they can’t do without.
SMBs are a Prime Target for Cyber-Criminals
According to a recent report by the insurance firm Hiscox, around 65,000 cyber-attacks are attempted on UK SMBs on a daily basis, with about 4,500 of these carried out successfully. The recent shift to home working triggered by the pandemic has led to a further tsunami of phishing, malware and ransomware attacks as cybercriminals look to target vulnerable SMBs.
Without specialist in-house teams dedicated to the task, staying on top of cybersecurity matters is typically more of a challenge for SMBs. So it falls to their TSPs to proactively initiate conversations about security and disaster recovery.
In fact, 91% of SMBs would consider using or moving to a new IT service provider if it offered the “right” cybersecurity solution, according to the latest Vanson Bourne SMB State of Cybersecurity report.
As well as checking the awareness and preparedness of business leaders, and whether they’ve covered all the important bases, these discussions will be helpful when it comes to establishing a clear understanding of where everyone’s responsibilities begin and end.
Step 1: Conduct an Initial Review of What’s Changed
Initiating an open and transparent conversation relating to cybersecurity should begin with an informal discussion about the current state of play. New ways of working introduce new risk vectors and increase their reliance on online services and BYOD means that SMBs may now need to assess everything from their network and backup capacities, to how they secure devices and services.
Those utilizing cloud services for the first time may need some additional hand holding around setting SLAs that are appropriate for their new needs and the importance of multi-factor authentication.
With 52% of UK SMBs planning to continue with remote working models for the long term, business leaders may need to be encouraged to formalize remote working policies and outline key employee responsibilities with regard to data processing and data security.
With regard to GDPR, some SMBs may need clear guidance on how to uphold their responsibilities in the wake of remote working procedures.
Step 2: Prioritize and Act on Risk
Having jointly reviewed what’s changed in recent months, ensuring that SMBs are primed and prepared for potential threat scenarios will next depend on agreeing what risk mitigation actions should now be prioritized.
As part of this process, TSPs may need to provide recommendations on the key questions that SMBs should ask of other providers to ensure there are no unexpected gaps or surprises with respect to their security position. Where relevant, this could include an exploration of any external supply chain and customer environments they connect or integrate with. At a minimum, this should include ensuring:
- Cloud services are appropriately secured and are being used safely,
- All patching and updates are undertaken in a timely manner and included in SLAs,
- Security incidents are being monitored and logged,
- A clear incident response communications plan has been agreed and is in place.
Step 3: Security Awareness Training
Human error is one of the leading causes of cybersecurity incidents. So educating employees and providing them with the insights they will need to avoid risky behaviors should be a top priority for SMBs. That includes creating security policies and checklists that enshrine key ‘do’s and don’ts’.
Offering SMBs access to easy-to-consume security awareness training for their end users is one of the most effective ways of ensuring that everyone is able to master the basics of good cyber hygiene to keep data – and themselves – safe. Whether that’s regularly re-setting passwords, how to spot suspicious emails, and when it’s not appropriate to click on a link.
Plus, acquiring these skills will be beneficial to individual employees in their personal lives – helping them to keep hackers out of their bank accounts and their family’s sensitive and private information.
A good program should start with the basics, like phishing awareness and social engineering, and build up to cover more complex security lessons covering mobile device security. It could also be tailored to the specific job roles of individuals across the SMB organization and include real-live engaging experiential learning – like a phishing simulation.
Today’s security training resources can now be delivered and monitored via online platforms that break learning into ‘bite sized’ sessions that make it easy for end-users to consume learning sessions at a time that works best for them. For some SMBs, integrating cybersecurity awareness training into the onboarding processes may be the ideal way of ensuring that security is prioritized from the get-go.
Taking a Proactive Approach
Unfortunately, many SMBs harbor big misconceptions about cybersecurity. Having hired a TSP to take care of their environments, they often believe they’re now completely risk free and secure.
As experts at securing their own environments, TSPs are ideally positioned to educate and support their clients to optimize their security posture. That includes recommending security awareness training for end users, who represent the most significant risk when it comes to protecting an organization’s information security.
Responsible for providing security education, training and guidance on policies for clients, TSPs need to engage in conversations about cybersecurity that demonstrate the true value-add of working with a proactive partner that’s dedicated to putting its customers’ interests first.