<?xml encoding=”utf-8″ ?????????>
Simon Hughes – VP and General Manager for the UK arm of Cowbell, a leading cyber insurance provider for SMEs – runs through the most common cybersecurity mistakes startups make, revealing how to fix them before hackers catch on.
One of the most common misconceptions among small and medium-sized enterprises (SMEs) is that they are less vulnerable to cyberattacks than their larger counterparts. It’s a belief that most likely stems from the perception that cybercriminals primarily target high-profile organisations for larger financial gains or notoriety. However, this is not entirely true.
Granted, the likes of Microsoft, Google and other major tech companies have fallen victim to cyberattacks on multiple occasions. Google’s 2009 “Operation Aurora” cyberattacks and Microsoft’s 2017 “WannaCry” ransomware attack both come to mind. The reason they come to mind however, is not because the effects these attacks caused were any more damaging than those SMEs experience, but because of the extensive media coverage they received.
When an SME is targeted, it’s unlikely to make the news, but that doesn’t make the effects any less damaging. In fact, it’s often quite the reverse; the same events impacting an SME business – financial loss as a result of a cyber event, reputational damage, legal costs, business interruption – are all likely to be felt much more acutely by a small or medium-sized business compared to a larger and more established organisation.
Coupled with this is the likelihood that an SME organisation is spending considerably less on their IT security than a much larger organisation and therefore more likely to fall victim to a malicious cyber event in the first place. Criminal organisations are well aware of these facts too. Therefore, the key for SME businesses is to think not only about their own cyber exposure, but how they can lower the likelihood of an event happening in the first place. If an incident then does happen, it’s about ensuring effective risk transfer and access to the necessary incident response capability.
A recent case study shows that businesses whose risk factors, based on Cowbell’s proprietary risk model, were 8 points higher than the industry average have a 1% chance of suffering a cyber attack or event, while businesses whose risk factors were 7 points lower than the industry aggregate have close to a 16% chance of suffering an event. That means implementing good cyber hygiene can indeed lower the likelihood of cyber events from happening.
So just what are the most common cybersecurity mistakes SMEs make and what can they do to fix them?
Failing to implement Multifactor Authentication (MFA)
One of the biggest mistakes SMEs can make when it comes to cybersecurity is failing to implement Multifactor Authentication (MFA), also called 2-Factor Authentication (2FA).
MFA is an electronic authentication method that only grants users access to websites or software if they present two or more pieces of evidence to an authentication mechanism. This usually involves a password, push notification, and/or authentication code using an authenticator app like Google Authenticator, Okta, or similar. According to Microsoft, implementing MFA can block up to 99.9% of account compromise attacks.
The great news is that implementing MFA is easy and usually free for most commonly used software and Cloud applications (Google Drive, Zoom, payroll software, etc.), and it can usually be enforced company-wide by the software administrator. For payroll software such as QuickBooks or ADP, for example, you’d simply follow these steps:
Step 1: Log in to your payroll software account.
Step 2: Look for an option in your account settings or security settings related to two-factor authentication or multi-factor authentication.
Step 3: Follow the instructions to enable MFA. This typically involves setting up a second verification method, such as receiving a code via text message or email.
Data backup complacency
Once a bad actor (an individual, group, or organisation that engages in malicious or unauthorised activities in the digital realm) gains access to a system, frequent data backups can prevent a lengthy business shutdown or costly ransomware payment; yet, many small companies still don’t back up their data regularly and properly.
To ensure an efficient backup strategy, companies should follow the 3-2-1 rule:
Ensure that you have three copies of your data (your production data and two backup copies),
on two different media (disk and tape)
with one copy off-site and entirely segregated from the rest (meaning offline, using a hard drive or in the cloud) for disaster recovery.
Allowing employees to use public wifi without a virtual private network
Many companies allow at least partial remote work for their employees, which can present an increased risk of exposure if virtual private networks (VPNs) aren’t put into place. A VPN creates a secure connection between a computing device and a network, or two networks, and is necessary when using public Wifi. Without a VPN, bad actors can gain access to your device or network through the shared Wifi.
Public Wifi is any Wifi that a large group of people has access to, for example, in cafes, airports, or hotels. Non-password-protected Wifi is the most dangerous, but even password-protected Wifi should only be accessed using a VPN, if the password is easy to obtain.
Luckily, there are many VPN providers available, and implementation can be done company-wide by an administrator. A couple of examples include:
ExpressVPN, which offers a high level of security with strong encryption, a strict no-logs policy, and a wide range of server locations. It has user-friendly apps for various platforms, making it easy for employees to install and use, and works on Windows, macOS, iOS, Android, Linux, and even routers. ExpressVPN allows businesses to set up VPN protection for their entire workforce through a business-specific plan.
NordVPN is another great example. Its advanced security features include Double VPN, Onion Over VPN, and CyberSec, which blocks malicious websites. It boasts a large server network spanning multiple countries, ensuring good connection speeds and like ExpressVPN, offers user-friendly apps for various devices, making it accessible for all employees.
No incident response plan
Due to the misconception that smaller businesses don’t get targeted by bad actors, many do not have a plan in place on how to behave if their company does fall victim to an incident. An Incident Response Plan (IRP) is a detailed plan that goes over all the actions to take when companies experience an incident, and it should be put in place before ever falling victim, as well as revisited and updated at least yearly.
The goal of an IRP is to give businesses peace of mind that they are prepared for an incident. They will know exactly what they need to do if such an event occurs, which will ultimately help to reduce the time and money it takes to get business back up and running. It’s worth noting that a good quality cyber insurance provider will offer assistance in creating an IRP, tailored to your business, along with various other risk management tools and services that can help bolster security and awareness.
Standalone cyber insurance policy
Many small businesses are still under the dangerous assumption that standalone cyber insurance policies (specialised insurance products designed to provide comprehensive coverage for a business against various cyber-related risks and liabilities) are only necessary for large enterprises. However, more than half (54%) of SMEs in the UK have experienced some form of cyberattack in 2022, up from 39% in 2020, according to a recent Vodafone study.
For those businesses that attempt to bundle cyber coverage into their general business insurance policies instead, several challenges can arise from what is often a one-size-fits-all policy that fails to consider the unique cyber risks faced by individual SMEs. If you fall victim, these may include insufficient financial protection and risk transfer, delayed claims processing, and an inability to provide you with the necessary technical assistance and incident response capability that your business needs during a cyber event.
Additionally, many good quality cyber insurance providers offer risk management services without any extra charge as part of your policy. This can include cyber risk assessment services, educational material, and templates for things like Incident Response Plans and Disaster Recovery Plans, just to name a few.
Right now, not only are many SMEs unprepared for the effects of a cyber incident – 90% of SMEs that experienced a serious incident say the cyberattack costs them more than they thought it would – but cybercriminals are increasingly targeting SMEs over larger firms for a number of reasons. They typically have less robust cybersecurity measures in place, it’s a target-rich environment (there are 5.5 million SMEs in the UK) and their resources are limited – all of which make them easier targets.
With the cyber landscape evolving on a daily basis, there is no better time than now for SMEs to take the opportunity to improve their cyber security posture and prioritise their cyber resilience. With the right planning, preparedness and cyber risk transfer in place, the severity of cyber incidents can be dramatically decreased; an approach that is undoubtedly far more cost-effective than dealing with the aftermath of a cyber incident without help.