Cybercrime is an equal opportunities business when it comes to target selection. No business is too big or small for the hackers. There was a time when small businesses could look upon their size and lack of financial resources as an advantage when it came to cybersecurity. There was safety in insignificance, to a certain extent at least. But this is no longer the case.
“The Garda National Cyber Crime Bureau (GNCCB) issued a message to SMEs last year,” says Small Firms Association (SFA) public affairs lead Elizabeth Bowen. “They told them that hackers had moved on from big organisations and were looking at smaller ones to see what they can get. There is a sense that some small businesses are not investing enough in cybersecurity and are not taking it seriously enough, and they want to take advantage of that.”
Jaap Meijer, Huawei Western Europe chief cybersecurity and privacy officer, agrees. “Operating within limited resource bounds, SMEs often find themselves in the crosshairs of cybercriminals seeking to exploit their vulnerabilities. With a scarcity of dedicated cybersecurity experts, SMEs can inadvertently face complex threats without the armour of specialised knowledge.”
Preparedness levels may be higher than assumed, however. “We recently conducted a countrywide survey of Irish businesses and entrepreneurs,” says KPMG head of cyber security Dani Michaux. “Our findings highlighted both preparedness and concerns. Perhaps surprisingly 86 per cent of domestic businesses and entrepreneurs said they felt prepared to deal with potential cyberattacks, which demonstrates a proactive approach to safeguarding their digital infrastructure.”
On the other hand the KPMG data showed that companies with between 10 and 49 employees and those based outside Dublin are less likely to feel prepared for a cyberattack. “It’s important that businesses of all sizes understand their risks and prepare accordingly in whatever ways they can,” says Michaux. “Overall the level of preparedness we see is positive, but businesses are often ready for simpler and known attacks and rarely are looking into simulations of more complex and challenging attacks. Companies should make cyberattacks real by conducting simulations in a cross-functional manner, including the whole business.”
Eric Barnes of AIB cyber threat management says SMEs should invest in cyber security resources and implement basic cyber security controls, hygiene and education. “They should also ensure that they keep their software up to date, ensuring that vulnerabilities are patched in a timely manner and regular data backups are performed. Organisations should also ensure a strong password policy is in place and enable multifactor authentication where available.”
“There is a lot that small businesses can do, both from employer and employee perspectives,” says Bowen. “They can make sure their antivirus software and firewalls are up to date. They can encrypt data and use multifactor authentication. They can also limit access to sensitive information to reduce the chances of it being compromised.”
There are numerous low-cost steps SMEs can take to protect themselves, according to Meijer. These include implementing strong password policies, maintaining regular software updates to help keep vulnerabilities at bay, and establishing a routine for backing up data to preserves critical information. “Leveraging free security tools like antivirus software aids in identifying and preventing malware,” he adds.
“Moving to measures with moderate cost implications, SMEs can focus on securing their digital environment by setting up secure wifi networks and shaping employee policies and procedures to foster a secure atmosphere. Managing employee roles and access efficiently reduces exposure to potential threats.”
Looking at potentially higher-cost measures he recommends implementing physical security measures to fortify premises against unauthorised access along with other steps. “Ensuring a proper employee offboarding process prevents lingering access post-employment. Conducting a thorough vendor security assessment guarantees third-party partners maintain adequate security standards. Making use of industry certified products can help in reducing supply chain risks further.”
Cybersecurity is very much a people issue, however, and even the most expensive software solutions won’t protect against basic human error. “We know how the threats come,” says Bowen. “They can come through telephone calls and emails with bad links. They can also come in emails purporting to be from the CEO or CFO asking for money to be paid into a bank account. SMEs need a verification policy for any new payee accounts and changes to bank account details and so on. Training is very important. Everyone is responsible for cybersecurity and training must apply to everyone from the receptionist to the owner manager. And best practice is to do training every month to remind everyone of the threats faced by the business.”
Eric Barnes concurs. “Staff education and training for cybersecurity is extremely important. It is often said that humans are the weakest link in cybersecurity. Employees are often targeted with phishing attacks, malware, and other cyberattacks. Educating and training employees on cybersecurity threats helps organisations protect themselves against these threats. Cybersecurity training will also help with avoiding data loss, protect the reputation of your organisation, avoid downtime, and help comply with standards such as GDPR.”
The benefits of training are far-reaching. “Equipping staff with skills to recognise and respond to cyber threats mitigates the risk of inadvertent security breaches stemming from human error,” says Meijer. “Employees, often the first line of defence, gain the ability to spot phishing attempts, deter unauthorised access, and navigate safely online with cybersecurity insights. Employees who are well informed quickly spot and report phishing attacks, stopping potential data leaks. Learning about strong passwords makes SMEs more secure as employees understand how vital it is to make complex passwords and not share them.”
Joining industry associations or networks can provide access to shared knowledge, best practices, and collaborative efforts to improve cybersecurity collectively, he adds. “Alternatively participate in forums, webinars, and conferences to stay informed about the latest threats and mitigation strategies. Learning from others’ experiences can be valuable for SMEs. External training platforms and courses can be cost-effective solutions for educating employees about cybersecurity best practices.”
“There is a lot of guidance available from SFA, the National Cybersecurity Centre (NCSC), and the GNCCB for small businesses to use in training and developing policies,” Bowen adds.