By Ian Yates, CTO of treasury management FinTech Neo
Relentless phishing emails, fraudsters impersonating healthcare officials and organisations, exposed networks – the rapid pivot to home working and the resulting cybersecurity threats continue to be a headache for small businesses. Yet, while the pandemic exacerbated a number of these vulnerabilities, most have been present long before the COVID-19 era.
Setting the scene: Cybersecurity before Covid-19
Even in the years before the pandemic, SMEs were often just one click away from a cybersecurity breach, largely as a result of their often-weak technological defences. This is due to a combination of a smaller awareness of the threat as well as limited resources to put into cybersecurity. Consequently, cybercriminals and would-be fraudsters are able to take advantage relentlessly – a recent report suggests that small businesses are the target of over 40% of cyber-attacks with an average loss per attack of more than US$ 188,000.
The often-limited cybersecurity tools many SMEs use to protect their operations mean they are the “weakest link”, and criminals can use this to exploit their connections to larger companies in the supply chain.
In 2019, it was estimated that one out of five SMEs had fallen victim to a ransomware attack. Phishing attacks have also reached their highest level in three years with small organisations receiving malicious emails at a higher rate. While SMEs are juggling a number of issues and priorities, they cannot afford to cheap out on cybersecurity.
The perfect storm: Covid-19
There’s a common assumption among small business owners that their company is too small to be targeted by a cyber-attack. Unfortunately, this is not the case. The pandemic has provided cybercriminals with an unprecedented opportunity to exploit confusion, uncertainty and hastily put together security measures as the workforces hastily pivot to remote working.
A recent study from the legal firm Hayes Connor Solicitors shows that many firms are not doing enough to protect their businesses. For example, one in five UK home workers has received no training on cyber-security, and two out of three employees who printed potentially sensitive work documents at home admitted to putting the papers in their bins without shredding them first.
With hundreds of millions of people around the world forced into managing sensitive data while working remotely, 2020 has proven to be a turning point in terms of attitudes to cybersecurity. Most technology and software systems were built to be accessed primarily on-site, so their security systems are geared accordingly.
But the shift to remote working has led to workers increasingly using personal devices to ensure business continuity and many communications are now taking place outside company firewalls on novel applications. This can significantly increase cybersecurity risks for SMEs as applications for remote working are often the target of malicious actors.
In 2020, there was a 400% increase in cyber fraud in the USA alone, with statistics reflecting that small businesses – and especially the sole traders, and self-employed – were the most vulnerable and while also lacking good access to relevant security services.
It goes without saying that the pandemic has strained the finances of most businesses and increasing investment into security can be difficult for SMEs at a time when many struggle to keep their cash flowing.
How technology can help – if used strategically
There’s a number of simple things businesses can do to protect themselves by taking advantage of available technology. It is widely known that human error is the weakest link when it comes to cybersecurity, so the bigger challenge for companies is to prevent unauthorised access, hacking or fraud arising from multiple access points that now exist.
An achievable starting point is simply setting out a clear cybersecurity policy and ensuring everyone in the business is well aware of protocols and best practises. This would also involve establishing clear rules on how devices are used, how teams share documents and so on.
Tailored and controlled access can be another effective way of improving cybersecurity. By making this as granular as possible, senior managers can control the features their team members can access. If unauthorised access were to occur, it would make it easier for the security team to identify and address the source without the risk of system-wide contagion.
Any system needs to incorporate the latest security and encryption protocols, even if a business feels it is too small to be worth a cybercriminal’s time. This can include multi-channel two-factor authentication, four-eyes checks, a complete audit trail of all activity, continuous backups and much more. These protocols need to be reviewed thoroughly, tested, challenged, and updated regularly to ensure SMEs are less likely to become easy pickings.