Multinational and large enterprises have no trouble with beefing-up their cybersecurity defense as those organizations have deep pockets, and a bad incident of a cyber attack can overnight cripple their business and their brands. Unfortunately, in the global scale, it is the SME’s (Small and Medium Enterprises) that employs the majority of the working population. These small and medium-sized organizations tap their local market for their own survival, with their own little ways to expand their operations at a later date.
SMEs are sensitive with changes in market conditions, given their limited funds when it comes to various ‘auxiliaries’ of business. It is very understandable that small firms focus more on funding their core business than anything else, hence they may end-up underestimating their needs in an auxiliary of their business. One such aspect that is often relegated as an auxiliary is the IT aspects, the cybersecurity aspect more specifically. Ponemon Institute, released their Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture, revealing how at risks small businesses are due to their lack of funding for cybersecurity.
The revealing data that shows that ⅓ of organizations, in general, are not ready when a data breach or cyber attack happens on them. And the more disturbing data reveals that 63% of the organizations do not know how to react to an overwhelming number of system-generated notifications from their IT security infrastructure.
“Balbix commissioned the Ponemon Institute to survey over 600 cybersecurity professionals across 15+ vertical industries. 72% of respondents worked at companies with more than 1,000 employees. Some of the common challenges that organizations face include not enough staff to cover the volume of alerts, vulnerability management solutions that complicate the ability to patch in a timely manner, not enough visibility across their full set of assets and attack vectors, and a lack of understanding of actual cyber-risk and inability to prioritize mitigating actions,” explained by the report.
Attack vectors and vulnerabilities are expected to be there, whether the company uses software X instead of software Y. Being ready when it comes to cyber attacks is to be fully patched, that means the software installed on computers is the newest version from the software developer. This same approach also applies to network hardware devices such as the printers, the routers, and the switches. All of them have ‘software’ inside the ‘hardware’, also known as the firmware. Firmware is regularly updated by the manufacturer of the hardware during the entire lifecycle of the device, also known as support period.
“IT security teams are often not effective at communicating cybersecurity risks to senior management. On a scale of 1 = not effective to 10 = highly effective, only 21 percent of respondents (7+ on the 10-point scale) say their communications are highly effective,” added the report.
Ponemon Institute devised 4 useful suggestions on how organizations, especially SMEs to be more cyber attack and data breach resilient:
1. Know your hardware and software
By knowing means not only the physical and electrical requirement of hardware and the features of a software. The keyword is ‘knowledge’, know all the devices and software being used inside the corporate network. Yes, that includes whatever wireless device connected to the corporate network infrastructure through the company’s WLAN. This means that even private devices by employees need to be carefully registered to the IT team, for monitoring purposes. Knowing all the devices and software being used by the organization helps in narrowing down the cause of the problem in case something goes wrong. Also, the knowledge of an unauthorized device is being used under the BYOD policy can be detected early if there is a complete record of which device belongs to whom.
2. Understand the risks
Every organization based on the type of business it engages, each having different levels of cybersecurity risks. Banks, for example, have higher level of risk than a typical organization. Hospitals and healthcare firms are also vulnerable as they hold a lot of ‘customer’ information (patient records). Hackers are after money, hence companies that holds money or handles a lot of user data are often being targeted by cybercriminals compared to other industries.
3. Use Risk-based Analysis
This can be done through management-intervention, by introducing the concept of ethical hacking and penetration testing. Companies that hires professional penetration testers and keeping the software stack fully patched are much more resilient when it comes to cyber attacks compared to organizations that have not prepared for the worst. An ounce of prevention is worth a pound of cure, this also applies to cybersecurity.
4. Implement a tried and tested automation system
Human IT team and a group of system administrators knowledgeable in the field is great for any organization to have. Unfortunately, a human cannot be kept awake 24/7/365, hence it is inefficient for a human to monitor manually all the running systems. Automation using market-standard cybersecurity tools can help minimize the stress incurred in manual monitoring, as these tools provide efficient reporting subsystems that does a finer job than a human operator.