The Cyber Siege of SMEs

Cyber security has become a critical issue for governments at all levels and is one of the top risks concerning major global enterprises, which have suffered from cyber incidents costing hundreds of millions of pounds. But cyber security impacts businesses of all sizes, not just governments and major enterprises.

All businesses need to take cyber security seriously, but SMEs face unique challenges. Not only do SMEs lack the budget to deploy the kinds of security tools used by larger enterprises, they typically do not have the personnel to manage such security. Fortunately, the shift to cloud-based security, or “Security Software as a Service” (SSaaS), is simplifying security for SMEs. This article outlines some key challenges facing SMEs and four opportunities where the shift to SSaaS can make it easier for SMEs to cost-effectively deploy security across email, endpoints, web traffic, and access management in a way that was not possible before.

The SME Challenge

How are SMEs supposed to protect themselves, given all the challenges and limitations they face? They don’t have unlimited budgets to spend on expensive cyber security solutions or on hiring in-house experts like larger companies do. Financial institutions spend an average  of 0.3% of revenue and 10% of their IT budget on cybersecurity, according to numbers tallied by the consulting firm Deloitte.³ While the very smallest businesses may not even have a dedicated IT person, let alone a specialist in information security. Then there are the staffing limitations most SMEs face. Even if an SME wanted to hire a qualified cyber security professional, it would be difficult given the industry shortage of qualified individuals. In 2019 the ICS2 reported global skill shortages of around 4million, with shortages in the UK increasing by over 100%. Alongside these findings, they produced suggestions for tackling this shortage by widening existing employee’s skill sets.⁴

Many SMEs struggle to secure themselves against constantly changing threats from advanced email attacks and advanced endpoint attacks. Many SMEs also have not implemented website traffic filtering or Multi-Factor Authentication (MFA) to help protect their users from  inadvertently visiting compromised sites or from having their accounts compromised due to weak passwords In the past, it was much more difficult to protect SMEs from the critical attack vectors discussed below. The advent of cloud-based technologies, however, has made sophisticated software solutions more cost-effective and easier to implement. These “Software as a Service” (SaaS) solutions are dramatically changing IT strategies and making critical tools and services available to SMEs. Gartner predicted that the investment in SSaS budget would increase by around 17% in 2020⁵ and a 2019 AT&T Cybersecurity survey found that 76% of organizations found endpoint security more important compared to 12 months before, and 41% increased their endpoint security budget.⁶

These services provide critical protection for SMEs in a way that is easily implemented, easily managed, and cost effective, while providing real-time protection that can help prevent SMEs from falling victim to the latest cyber threats. 

Opportunity 1: Email security

Email threats from malware, spam, and phishing continue to be one of the biggest issues facing SMEs. Many SMEs rely on the spam and  malware filtering capabilities built into their email server software or their email provider, only to find out the hard way that those tools  have limited capabilities, are difficult to manage and report on, and worse, fail to protect the business from advanced or “zero-day” threats. The 2019 Data Breach Investigations Report (DBIR)⁷, findings showed 94% of malware was delivered by email, with, 48% of UK  organisations hit by ransomware, according to Sophos. The average remediation cost of a successful ransomware attack to UK enterprises is $840,000, higher than the global average of $761,00. 32% of UK companies have cybersecurity insurance that doesn’t cover ransomware.⁸

Besides the rise in embedded malware, there has also been an increase in “business email compromise” (BEC) scams, a form of financial fraud meant to trick an employee into paying for fraudulent invoices or making a large wire transfer by spoofing a manager or supervisor’s email. More than 400 businesses are attacked each day by BEC scams, with SMEs the most frequently targeted, resulting in losses of more than $3 billion in previous years. In one reported incident, an aerospace company fell victim to a BEC scam and transferred approximately $50 million to scammers.⁹

A traditional email service or product protects against “known” email malware, i.e., viruses with already-defined signatures. It should also stop known spam and bulk emails, though this often requires a lot of rule tweaking. An advanced cloud gateway can protect against unknown malware and viruses—even those without signatures. It can block spam and bulk email by leveraging data from global spam trends without requiring the SME to continually tweak the filtering rules. The real feature sets that are critical in defense of the SME are in the advanced and zero-day threat protection capabilities of a cloud-based email gateway service. How well can it stop targeted spear phishing attacks, protect you from malicious embedded links, or stop obfuscated malware from getting through to an employee?

A truly advanced gateway should protect against a host of targeted attacks by leveraging a global intelligence engine fed by millions of endpoints. That intelligence should be constantly updated and combined with technology that scans multiple email attributes to find and block anomalies and obfuscated malware buried deep within a message or attachment. The service should leverage advanced machine learning and provide the ability to stop targeted BEC campaigns through real-time link following, click-time URL protection, and analysis engines that stop typo squatting of domain names and user spoofing. A cloud-based email service with these features can be the most cost-effective way to keep your SME safe. 

Opportunity 2: Endpoint protection

Second on the list of critical SSaaS services is an endpoint product capable of addressing advanced threats. In 2017, 669 million new  malware threats were found, with the number continuing in the millions over the last few years.¹⁰ A traditional anti-virus product that updates only virus signatures, or has limited capabilities, will not adequately protect against new and emerging zero-day or advanced threats. Protecting SME endpoints from the constantly evolving landscape presents distinct challenges. Attacks are increasing at a faster late than ever before. The pressure of a mobile workforce demanding more device choice, budget limitations, and lack of qualified IT support all conspire to complicate the defence of SMEs. Ransomware and mobile device exploits were some of the biggest threats facing organisations over the past 5 years, with average ransom amounts increasing and more vulnerabilities exposed through an expanded device portfolio.¹¹

A cloud endpoint product that truly protects against new malware variants and zero-day threats must be able to protect a wide range of  devices and operating systems. It should use intelligence based on big data leveraged from a global intelligence network that is automated and driven by billions of lines of threat telemetry. Additional advanced features should include the ability to do real-time cloud lookups of all scanned files, as well as a file behaviour engine that monitors operating systems and applications for suspicious activity. Beyond that, the next level of endpoint protection should include artificial intelligence and machine learning in order to pre-execute and detect evolving  threats and variants of previously identified malware. Anything less could leave the business vulnerable and exposed. 

Opportunity 3: Web security

The third major problem facing SMEs is the lack of insight and control over web traffic. End users of many SMEs browse websites that are vulnerable or have been exploited. A user will then inadvertently download some malicious content. Worse, many SMEs have no idea what data is leaving their network via employees, contractors, or third-party vendors. Unfortunately, 76% of websites scanned by Symantec still have vulnerabilities; by December 2018 Symantec were blocking over 1.3million unique web attacks.¹² So, how can an SME protect users from ubiquitous threats while managing new devices and mobile users’ traffic even when they are remote? How can an SME protect data in  the cloud and comply with required legal regulations? One way is to use a cloud-based web-filtering service. These services allow SMEs to use URL filtering and categorisation to protect a network and enforce usage constraints. They allow an SME to filter and see all web traffic. Moreover, that web traffic is checked against policy rules, and all traffic to and from blocked or blacklisted sites is stopped. This service gives granular control over web usage by apps, devices, users, and locations, allowing an SME to exercise greater control over its network and to enforce acceptable use policies while protecting against malicious content. An advanced cloud-based web-filtering service should also auto-block newly found and zero-day threats before they can impact your network. In particular, malware protection should include sandboxing and behavioural analysis that can detonate a threat in the cloud before it gets to your network. And, because the service is cloud-based, it can protect clients and devices even when they are not in the office or on a company network.

Opportunity 4: Password and access management

The final vulnerability that should concern all SMEs is the over- reliance on passwords for authentication. Using passwords as the only protection for user accounts is no longer sufficient to prevent identity theft or data breaches. In the first year of GDPR’s implementation, there were 144,000 complaints filed with various GDPR enforcement agencies and 89,000 data breaches recorded.¹³ Coupled with the fact that 81% of confirmed data breaches involved weak or stolen passwords, the magnitude of this problem becomes clear.¹⁴ According to research,¹⁵ 90% of employee passwords are crackable within 6 hours and 65% of people use the same password everywhere. The best way  to move past the static password model and all its failings is to implement a dynamic authentication model. Multi-Factor Authentication (MFA) requires users to have a password (something they know), but it also requires a mobile phone or security token (something they have) and/or some form of biometrics like a fingerprint or facial recognition (something they are). A cloud-based MFA service will  significantly help protect user accounts from being compromised. How does MFA keep SMEs safe? To start with, it gives you better control over who and how your data, applications, and devices are accessed. It can help to ensure the identity of the individual accessing your networks and web applications, and to limit which third-party vendors have access. Many cloud apps and services have MFA features, but using different MFA systems for multiple applications and services creates a fragmented and difficult-to-manage process that gives SMEs  little or no insight into who is accessing their data and networks. In contrast, a cloud-based MFA architecture gives SMEs centralised  control and insight into who has access and when access has taken place. A robust MFA cloud service should also integrate with your network, allowing for Single Sign-On (SSO) to protect both remote and on-premises access. It should be easily managed from a web portal that allows for reports and alerts that can be used to monitor access and identify attacks before they become breaches.

Conclusion

Email security, endpoint protection, web security, and access management are the four core SSaaS services that should be the cornerstones for protecting your SME. Using these services to create a layered and overlapping defensive posture will limit your cyber risk and threat exposure. These fundamental services are four of the biggest entry points and attack vectors for SMEs and larger organisations alike. What makes these cloud services so attractive to SMEs is the low cost combined with ease of implementation and maintenance. Once they are set up and configured, most of the maintenance and upgrades happen automatically. This is a stark change from the days when complex software installations needed to happen on-premises, often with manual effort required to keep software updated and configured correctly. And, since they are cloud-based services, advanced threat protection is continuously improving. New capabilities and detection methods are constantly being implemented and deployed by the service provider. As time goes on, more and more SSaaS services will come online and cover a wider array of security functions. Ultimately, the success of these services will come down to which ones give your SME the best overall protection. Cyber threats against SMEs continue to grow each year, and no business is completely immune to cyber attacks.  However, the shift towards SSaaS is making it easier for SMEs to mitigate the risk of cyber attacks and, when combined with cyber insurance, can help businesses become cyber resilient.

Sources
¹ https://www.fsb.org.uk/resources-page/small-firms-suffer-close-to-10-000-cyber-attacks-daily.html#:~:text=Small%20businesses%20are%20collectively%20subject,the%2UK’s%20largest%20business%20group.&text=The%20annual%20cost%20of%20such,attack%20put%20at%20%C2%A31%2C300
² https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf
³ https://www2.deloitte.com/content/dam/Deloitte/de/Documents/risk/Deloitte-Risk-Cybersecurity-Financial-Institutions.pdf
⁴ https://www.isc2.org/-/media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.
ashx?la=en&hash=D087F6468B4991E0BEFFC017BC1ADF59CD5A2EF7
⁵ https://www.gartner.com/en/newsroom/press-releases/2019-11-13-gartner-forecasts-worldwide-public-cloud-revenue-to-grow-17-percent-in-2020
⁶ https://resources.infosecinstitute.com/cybersecurity-budgeting-and-spending-trends/#gref
⁷ https://enterprise.verizon.com/resources/reports/dbir/
⁸ https://www.csoonline.com/article/3440069/uk-cybersecurity-statistics-you-need-to-know.html
⁹ https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf
¹⁰ https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf
¹¹ https://docs.broadcom.com/doc/istr-24-2019-en
¹² https://www.varonis.com/blog/cybersecurity-statistics/