Cybercrime is one of the most critical challenges facing contemporary businesses. In the 2019 Official Annual Cybercrime Report, Cybersecurity Ventures predicted that cybercrime will cost more than $6 trillion annually by 2021. This is a significant increase on the $3 trillion it cost in 2015.
While the data breaches most commonly reported on affect large companies that handle the data of potentially millions of users, the Uber and LinkedIn scandals we’ve all read about, small- and medium-sized enterprises are increasingly targeted by cybercriminals.
It has been reported that as many as 130,000 SMEs fell victim to cybercrime in 2018, costing each business an average of £65,000.
Cybersecurity monitoring in large enterprises
Large enterprises have access to significant resources to prevent cyberattacks or to recover if they are compromised.
They are able to deploy multiple safeguarding strategies via a well-staffed IT department to monitor and manage the effectiveness of cyber security products. Whether implemented as software, appliances or managed services, large enterprises have the resources to identify issues in real time and deal with them as soon as they are detected.
However, the cost of the necessary tools and implementation, on top of the staff to utilise them and proper training can mean that these solutions are out of budget for many businesses.
What are the risks for SMEs?
Most SMEs do not have the resources to protect their business in the same way that larger organisations do. This means that SMEs often have to rely on sporadic and even incomplete investigation. Reports might come monthly, at best, to ascertain how well their business is protected. There is no guarantee there won’t be significant gaps in these reports or that the information won’t be out of date by the time the decision to act has been made. Even external support from MSPs doesn’t equate to real-time protection.
This leaves a lot of SMEs vulnerable to attacks that could be caught and prevented with proper cybersecurity and compliance monitoring.
The famous WannaCry hack exploited a vulnerability in Microsoft and cost the NHS £92 million last year following an attack in May. This is in spite of the fact that a patch had been released in March that could’ve protected against it.
Equally, the cyberattack on Equifax, which compromised the data of over 140 million people, was described as “entirely preventable“. The breach was ultimately possible due to unpatched software and outdated IT systems, which were left unattended thanks to poor lines of security management.
A lot of time and money, as well as an organisation’s reputation, can be saved by having processes in place to ensure the technology being used to handle sensitive data is up-to-date and that data security standards are being adhered to. Otherwise, security gaps between reporting periods go unnoticed and may not be discovered until after they have been exploited.
These risks are amplified for SMEs that don’t have extensive resources to put towards cyber protection. Cybercriminals know this, which is why small businesses make up almost half of all data breaches, according to Verizon’s 2019 Data Breach Investigations Report.
What can SMEs do to protect themselves?
There are a number of cost-effective steps that SMEs can take to address the risks to their business. These essential processes complement the approach of internal and external IT support to ensure that your cybersecurity is well-maintained and effective.
- Boardroom engagement to support cybersecurity decision making and investment. The NCSC has published a Board Toolkit explaining the board’s responsibility when it comes to cybersecurity and how they can engage with it proficiently.
- Adopt a platform that monitors your cybersecurity in real-time. Instant visibility leaves no room for vital upgrades to be overlooked and catches threats before they become critical.
- Adopt a monitoring platform that monitors your entire cybersecurity environment – the more comprehensive the better. This needs to include all your third-party apps, your encryption and any other tools you use within your digital infrastructure.
- Adopt nationally recognised cybersecurity standards such as Cyber Essentials or ISO 27001. Establish a simple framework to support those responsible for delivery and track the proper implementation of all your policies.