Special Reports
A special report is content that is edited and produced by the special reports unit within The Irish Times Content Studio. It is supported by advertisers who may contribute to the report but do not have editorial control.

Make sure hackers don’t see your SME as easy pickings

The first line of defence for smaller businesses, and one of their key cybersecurity resources, is their staff

Owners, managers, and employees in SMEs must face up to the reality that cybersecurity is now an ongoing business risk. Illustration: iStock
Owners, managers, and employees in SMEs must face up to the reality that cybersecurity is now an ongoing business risk. Illustration: iStock

Cybercriminals tend to be equal opportunities operators. No target is too small or too big for them. While many SME owners may hope that the size of their business puts it beneath the notice of the cybercriminals, the reality is often the opposite – smaller targets can be more attractive due to their perceived vulnerability.

That presents a challenge for SMEs that do not possess the resources that larger organisations can deploy to defend against cyberattacks. That lack of resources is something Kyle Hanslovan, CEO of cybersecurity service provider Huntress, describes as being “below the enterprise poverty line”. However, there are some highly effective yet affordable measures SMEs can put in place, and the first of these is usually their own staff.

Hanslovan talks about “weaponising the power of the human mind”. “Humans are the most affordable line of defence and offer the best bang for your buck,” he says. “Humans are amazing pattern matchers. They know if something doesn’t feel or look right. If you weaponise that you can do a lot.”

He illustrates this with examples of Mickey Mouse images produced by Disney and others produced by AI. The AI-generated images are technically correct in anatomical detail but are clear not the ‘real’ thing. “A human can detect that straight away, but a machine can’t,” he notes.

READ SOME MORE

Unfortunately, some businesses are not capitalising on this important resource, says Hanslovan: “We see some really poor behaviour in small businesses. We see humans being punished when things go wrong. But humans are the first line of defence and need to be encouraged to report breaches or failures when they happen.

“Small businesses need to have culture that rewards good attempts. Fear never motivates people. If you have a culture of fear, it turns off the benefits your staff can bring.”

Luke McDonnell, head of PR with Huawei Ireland, also emphasises the human element.

“Owners, managers, and employees in SMEs must face up to the reality that cybersecurity is now an ongoing business risk,” he says. “In response to this new reality, more best practices in the field of cybersecurity must be implemented to safeguard both the operations and assets of SMEs. We have to stop situations where companies realise the need for cybersecurity only after a significant incident – evidently when it is too late.”

Practical steps McDonnell recommends for SMEs begin with staff. “Educate employees and train staff on cybersecurity best practices and have regular updates to safeguard against malware and other threats,” he advises.

For SMEs, it is the continued training and awareness that will help reduce staff from falling victim to cyber threats

—  Luke McDonnell, Huawei Ireland

“Regularly back up data and keep separate from the main computer or cloud storage to help ensure data loss can be minimised. Use antivirus and anti-malware software and ensure this is regularly updated. Create a strong password policy with complex passwords, regular password changes and enable multi-factor authentication to give an additional layer of protection.”

Continuing on the people theme, McDonnell sees a need to do away with the idea that cybersecurity in an organisation is the sole responsibility of the IT department or the managed services provider.

“Cybersecurity is a shared responsibility, from the CEO to the sales director and everyone in between,” he says. “For SMEs, it is the continued training and awareness that will help reduce staff from falling victim to cyber threats. In addition, SMEs should have a defined internal malicious links reporting procedure so staff can flag any potential threats to be dealt with by experts.”

Another practical step recommended by Hanslovan is to close security gaps that may have been created unwittingly.

“Nowadays we have a device for everything. We have Alexa and Google Home, and so on. They call it the internet of things. I call it the internet of s**t. A lot of devices like doorbells are manufactured so cheaply that there is no margin for them to be maintained. The applications are almost never updated and have software vulnerabilities. Companies need to go for devices that are regularly maintained and patched. Automatic updates should be the default.”

Certification or accreditations can help as well, according to McDonnell.

“Something which I think would give SMEs further peace of mind is if they were cybersecurity certified by a national body. In the UK, SMEs can seek certification under the Cyber Essentials scheme, which has the benefit of demonstrating to clients or prospective clients that the company takes the protection of their data seriously. Such a model could really help to enhance the cyber resilience of Irish SMEs.”

Barry McCall

Barry McCall is a contributor to The Irish Times