Jeremy Hendy outlines what the Government, cyber security industry and businesses must do to strengthen the cyber resilience of UK SMEs
Since the start of the pandemic, hackers have been quick to exploit the growth in home working practices, and with many staff continuing to work in a hybrid way, it is essential for businesses of all sizes to put much tighter cybersecurity measures in place.
Yet, in a recent Skurio survey of 257 public and private sector organisations, just under half stated that insufficient resources and a lack of in-house expertise were preventing them from keeping pace with – and protecting themselves against – evolving cyber threats, including network attacks, phishing attacks and data breaches from their own network/ staff and from third-party suppliers.
The remainder also highlighted insufficient funds for new staff, technology and/or outsourcing, as well as a need for greater awareness of the cyber threat landscape, even if not all felt the need to invest in additional cyber security support and technology.
When it comes to the consequences of these vulnerabilities and searching the surface, deep and Dark Web for evidence of data breaches, so called Digital Risk Protection (DRP), too many businesses rely on DRP built into other solutions, such as Microsoft 365 or password and antivirus software. Six in ten organisations admit they are not adequately or fully able to detect threats from data breaches, malicious domains, supply chain risks and intellectual property attacks.
What, then, is stopping organisations from putting additional pro-active measures in place? And what needs to be done to change the status quo?
Here are three areas that I believe need to be addressed in order to overcome the obstacles to better cyber security.
1 Fill the knowledge gap
Businesses ‘don’t know what they don’t know’, which is why vendors and service providers may encounter resistance from businesses unwilling to invest in additional cyber security support. A stronger education push by the cybersecurity industry and the UK Government is needed to give millions of employers and employees greater awareness of all cyber threats and the part that they or their suppliers could unwittingly play in jeopardising their company’s security.
The reality is that cybercrime activity across the surface, deep and Dark Web is escalating: customer and company data, personal profiling information
and passwords are becoming the most sought-after goods on Dark Web forums and ransomware attacks now routinely involve ‘double-extortion’ techniques where stolen data is exposed regardless of whether a ransom is paid. The upsurge in malicious domains is relentless with consumers tricked into believing they’re in contact with a genuine brand or organisation buying fake goods and services and having their data stolen or being exposed to malware. Inevitably, we have also seen an increase in third-party breaches due to more complex digital supply chains.
2 Tackle the misconceptions
One of the biggest misconceptions organisations have is that they already have enough DRP tools in place to manage cyber security attacks, such as password managers, spam filters and anti-virus firewalls. Even if these defences are watertight, any organisation is still at risk from supply chain attacks or compromised data in third-party apps that employees use.
There is also a belief amongst SMEs that cyber-attacks are predominantly directed at large enterprises. In truth, small and mid-sized organisations are now prime targets for many cybercriminals, largely because their defences are less well developed. In 2021, 39% of small businesses and 65% of medium-sized businesses reported breaches or attacks on their systems, according to research from the Department of Digital, Culture, Media, and Sport. Figures published by Hiscox, the business insurer, show that small businesses are the target of 65,000 attempted cyber-attacks every day, and while most attempts fail, a small business in the UK is successfully hacked every 19 seconds. In its recent Cyber Readiness Report 2021, one in six businesses admitted they ‘almost went under’ as a result.
3 Financial support or grants for SMEs
Many small and medium-sized businesses simply do not have the funds to invest in new staff or resources, either in-house or by outsourcing. If the UK Government offered some form of Cyber Resilience grant, it would greatly support the country’s efforts to combat cybercriminals and enable SMEs to make use of the expert network of channel partners operating in cybersecurity.
The Government is set to respond to a recent consultation on proposals
to improve the management of cyber risk within organisations and ensure
the UK regulatory framework remains effective. If any new cyber reforms it proposes are to be fully inclusive and effective, it’s critical to overcome the barriers highlighted above and enhance the cyber resilience of private and public sector organisations.
Jeremy Hendy is CEO of Skurio, a specialist in Digital Risk Protection (DRP). Its automated DRP platform searches the surface, deep and Dark Web for businesses’ critical business data, evidence of data breaches and other potential threats to a business’s operations and reputation.