SME Congress in Katowice
Earlier this week, our co-founder and COO Marek
Ostafil spoke to SME Technology Guide discussing how small businesses
can get cyber secure. His comments in the article, alongside other
cybersecurity experts can be viewed here.
Marek
went into more detail when he discussed the best cybersecurity
practices for small and medium-sized businesses with our team…
What are the big challenges for SMEs when it comes to cyber security? Is it costs? Finding a solution that works? Integrating it into existing technology? Insider attacks, email compromise?
It is of course complex subject and there are always different factors that contribute to the cybersecurity challenges faced by SMEs. One of the most important obstacles is internal capacity of the team to implement cybersecurity solution when all teams are focused on developing own solution (e.g. production, tech sales support teams etc.)
Of course, the cost of implementing cybersecurity solution can also be a barrier. If an SME is struggling to survive then all costs (including cybersecurity) will be subject to cuts. Unfortunately, many still view cybersecurity as a cost rather than as an investment.
Another challenge is the mindset and awareness. Very often SMEs are thinking “Oh, we are just a small company – why would hackers be interested in us? There are so many bigger companies to attack.” It’s a major mistake – hackers are not picky. The credentials are credentials and from whom they can be stolen does not really matter.
Another interesting trend we observe is that in many cases, in order to attack a large company, cybercriminals are using an innocent and trusted subcontractor, hacking into its system and than using it as a “Trojan horse” to get to the systems of the large company. Of course the awareness always plays a big role in all types of companies so it needs to be kept in mind that also SME’s can be targeted with phishing campaigns or ransomeware.
Which areas of a small business are particularly vulnerable to attackers?
Every element of SME’s activity can be tempting for hackers. It also depends on the market or industry the SME is working in. If we are a fintech company, we are extremely interesting because of the type of business we are in and data we are dealing with. But even if we are not working in the obviously “sensitive” industries we still can be used as a tool to attack others.
What types of attack are most successful? What type of data are hackers after?
The most common and successful are phishing, Man-in-the-Middle and ransomeware attacks. But cyber criminals are not only after money. They are in most cases after credentials that could be used to either to get the money or obtain unauthorised access to data including company secrets and sensitive information.
Here we are touching an emerging “market” for cybercriminals – data theft. It is not new but, we are now witnessing the beginning of the new era – the era of the Internet of Things (IoT) – in other words, any network of Internet connected objects able to collect and exchange data. And the data that is being transmitted between parts of IoT systems is highly valuable. Not only to cybercriminals but also – to the competitors. In the world of the 5G, everything will be connected. All kinds of data, whether we like it or not, will be transmitted so it’s essential that it’s well protected.
How can small businesses find a solution that balances enterprise-grade security, but is also easy to install and easy to use interface. Do you need a full IT team to run and manage cybersecurity properly?
First of all you need an open-minded management that understands the challenge and the real risks and sees cybersecurity as an investment or even competitive advantage rather than a cost.
It’s not necessary to have a full IT team if your cybersecurity supplier provides good customer service. But, if they do have an IT department, the management needs to work closely with them to look for the most efficient solution – and it might not always be the most well-known solution on the market is the best. Surely it may provide some sense of security but the real question is: “Does it work for us? Or is it just going through the motions?”
It is a challenge to implement a solution that is secure AND easy to install and maintain. But an even bigger challenge for the management is to decide to employ an innovative cybersecurity solution instead of sticking to the “established” one that is well know but may not fulfil their specific needs.
Is cyber security more of a burden than it should be for small businesses? Is there a way to make it a business-enabler rather than holding back teams?
Cybersecurity is still very often considered as something that is being forced to use – especially among SMEs. The above mentioned attitude “who would ever attack an SME?” is the problem.
However, working in more challenging marketplaces than ever before, many SMEs are now trying to use superior cybersecurity of their products as a competitive advantage. Unfortunately, the race for the easiest UX and quick (here-and-now) revenue enhancers are winning very often the competition with security as a tool to attract customers.
How can managers/owners get their team on board with cyber security best practice?
There are many educational campaigns, initiatives and other tools that are aimed at increasing the cybersecurity awareness and most SME’s are becoming more and more aware of the need for cybersecurity.
But what we sometimes find is missing when speaking to SME’s, is dedicated time to reflect on the risks and the tools to really mitigate them, time and patience to implement solutions and processes.
Cybersecurity is not about being compliant. Cybersecurity and security of the business is about knowing why we have to protect our business, knowing risks and investing time and effort to find really good, efficient solutions – even if they are not standard ones. Let’s remember that standards are not guarantee for security. Just look at using passwords for authentication – it is a standard but a disastrous one. And, we’ve seen this time and time again with high-profile data breaches after passwords have been stolen from major organisation leading to massive economic and reputational losses.
Can you give examples/case studies/use cases of small businesses who have been able to successfully implement top notch security without holding their team back?
The Polish company APA Group that provides solutions for the Smart Buildings and the Industry 4.0 sectors has recently implemented our cybersecurity solution specifically designed for IoT networks – ELIoT Pro.
ELIoT Pro completely eliminate passwords for Human-to Machine and Machine-to-Machine authentication as well as a special Lightweight Encryption to protect data being sent between the simplest smart devices in their systems. APA Group’s management decided to invest in cybersecurity and its now a major competitive advantage for them.