Media coverage of cybersecurity breaches naturally focuses mainly on big players such as Equifax, Marriott, Sony and Target. However, this only looks at the tip of the iceberg. Below the surface, SMEs (small and medium-sized enterprises) are also in the line of fire with hackers who often choose to attack the less well-known organizations.
This article looks at the specific challenges that SMEs face in securing their networks from cybercriminals and will also explore several security models smaller businesses could adopt to overcome obstacles.
SMEs are in the Line of Fire in the Cybersecurity War
The first fact that SMEs need to get used to is that cybercriminals are more interested in attacking their organizations than they may think. In fact, hackers often prefer to target SMEs rather than going after the bigger fish. There are several reasons for this:
First, small businesses are seen as low-hanging fruit that is ripe for the picking. SMEs’ limited budgets mean they tend to lack the in-house expertise to properly secure their networks. SMEs are also less able and/or willing to invest in the leading (and most expensive) cybersecurity solutions, which means their systems tend to be far easier to hack into using the dark web equivalent of off-the-shelf technology. Once within the perimeter, attackers can then more easily move horizontally through different systems without triggering intrusion detection or prevention devices.
SMEs are also less likely to have robust training in place to prevent human error, which is still the most common factor associated with a successful cyberattack or data breach. These enterprises often cut costs by relying on remote freelance workers and using commodity-grade cloud software products like Dropbox or Salesforce. They are also more likely to allow employees to use their personal devices to connect to the internet — a high-risk activity that is at the root of many successful hacks and can lead to the spread of so-called ‘shadow IT.’
Mobile employees often connect to numerous networks during the course of their working day, mainly through wireless channels like public WiFi, 4G and even Bluetooth. With each new network connection comes another potential channel for a cyberattack.
Without a clear ‘bring your own device’ (BYOD) policy in place, mobile devices could be used to download unofficial apps or to access a public WiFi hotspot. Both of these practices can lead to the devices being hacked or their messages intercepted. Enabling mobile access to sensitive data may even be against some compliance rules, putting companies at risk of incurring hefty fines.
Despite their size, SMEs can still have access to large volumes of sensitive data and may be run by high net worth individuals. Ransomware designed to steal, expose or lock away data can therefore be an effective tactic to extort payments from small businesses, particularly when data breaches could lead to staggering fines that could send a small or medium business under in a heartbeat.
Leading SMEs tend to leverage innovation and unique tactics to achieve success, which means that cybercriminals could threaten an SME’s competitive edge by stealing intellectual property. The insecure networks operated by small businesses are also often treated as a ‘watering hole’ from which hackers can infiltrate the networks of larger clients.
This is exactly what happened to Target. Hackers managed to break into the systems of a smaller air con provider and then used privileged access to hack into Target’s network and steal credit card details.
It’s no secret that SMEs face a considerable challenge when it comes to securing their networks. Not only are they required to provide the same cast-iron protection around sensitive customer data as larger enterprises do, but SMEs also have to do it with a much smaller budget. If they don’t, catastrophic losses could ensue.
Coopetition and Cloud Computing: Pooling Resources
So, what can an SME do to bolster its defenses against hacktivists and data thieves?
The two best strategies are coopetition and cloud computing, both of which enable businesses to pool resources, but in very different ways.
Coopetition: Serving Shared Interests
Coopetition is the strategy of cooperating with competitors in order to achieve shared goals. For coopetition to work, the businesses involved have to carefully balance shared gains against private gains. All parties need to understand how they can work together to increase the size of the pie with the understanding that they will ultimately be competing for the largest slice of that same pie.
When it comes to cybersecurity coopetition, pooling resources to invest in the best tools and bring in advanced technical professionals can benefit all businesses involved. As long as each company’s data is kept separate and one company doesn’t have elevated privileges, this arrangement can overcome the financial limitations that SMEs typically struggle with.
SMEs are in a far better position than their larger cousins to engage in coopetition. Their processes tend to be less constrained and their hierarchies less defined, enabling them to change strategies quickly.
Leveraging Distributed Computing in the Cloud
The ultimate way to pool compute resources is by adopting cloud computing. Again, this is often quicker and easier for SMEs to implement than larger companies because they don’t have to deal with the hassle of decades-old legacy hardware consisting of multiple dependencies.
Keep in mind, though, that migrating to the cloud doesn’t guarantee security by itself. Although the public cloud providers are responsible for securing data within their networks, businesses still need to choose and configure security products or services correctly in order to protect data on their side of the public cloud gateway. However, cloud-based security products are cheaper, more scalable and easier to maintain than standard hardware devices. They are often provided as managed ‘pay as you go’ services with skilled technicians employed to monitor for security events.
Of course, moving into the cloud requires careful planning. For starters, there are several competing public cloud solutions on the market. To help you decide between Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure, consulting with a cloud specialist is highly recommended (e.g. telecom RFP consultants). These specialists can also help you weigh up the costs and benefits of various deployment options, including a cloud direct connect, which is a more secure connection to your cloud services that by-passes the ‘wild west’ of the internet.
Creating a Security-First Culture
While coopetition and cloud computing can provide the additional resources needed to shore up network defenses, this is no substitute for employees who are security-aware. In fact, even the most powerful enterprise-grade security services can be neutralized quite easily via misconfiguration or weak security policies.
Despite decades of high-profile data breaches, many businesses still bolt cybersecurity onto their in-house literature almost as an afterthought. To protect themselves from hackers, business owners need to revisit their strategies and rework them to put security at their heart.
Cybersecurity training would play an important role in ensuring that both new and existing staff members are on the same page when it comes to security best practices. Topics to be covered in full should include phishing, password hygiene, message encryption, compliance, BYOD policy, software update management and suspected cyberattack response.
To reinforce the message, regular refresh trainings should be scheduled, with outcomes tied into appraisals.
By combining pooled resources, effective training and a security-first culture, there is no reason why an SME’s network can’t be as secure (or even more secure) than that of a big, multinational corporation. Security is a big challenge for those on limited budgets, but it is a challenge that must be — and can be — overcome with the right resources in place.
About the Author
Ben Ferguson is the Vice President and Senior Network Architect for Shamrock Consulting Group, an industry leader in digital transformation solutions. Since his departure from Biochemical research in 2004, Ben has built core competencies around cloud direct connects and cloud cost reduction, SD WAN providers, enterprise wide area network architecture, high density data center deployments, cybersecurity and VOIP telephony. Ben has designed hundreds of complex networks for some of the largest companies in the world and he’s helped Shamrock become a top partner of the 3 largest public cloud platforms for AWS, Azure and GCP consulting. When he takes the occasional break from designing networks, he enjoys surfing, golf, working out, trying new restaurants and spending time with his wife, Linsey, his son, Weston and his dog, Hamilton.