From phishing emails, exposed networks, and fraudsters impersonating officials and healthcare workers – last year was one of the worst for cybersecurity, especially for SMEs.
As CTO of Neo, the treasury management fintech, Ian Yates is keenly aware of these issues. Having worked in consultancy prior to helping establish Neo, Ian has witnessed the advancement of digital solutions entering the treasury and payments space, as well as the need for accessible corporate banking for small and medium-sized businesses. Today he oversees the technical aspects of Neo’s platform and ensures the business requirements are met with the best technology.
Over the past year, he also saw first-hand how many of the cybersecurity issues facing SMEs were only exacerbated by the pandemic, having been present long before the COVID-19 era.
Setting the Scene: Cybersecurity Before Covid-19
Even in the years before the pandemic, SMEs were increasingly the target of cyber-attacks, largely as a result of their often-weak technological defences. This is due to a combination of a smaller awareness of the threat as well as limited resources to put into cybersecurity. Consequently, cybercriminals and would-be fraudsters are able to take advantage relentlessly – a recent report suggests that small businesses are the target of over 40% of cyber-attacks with an average loss per attack of more than US$ 188,000.
The often limited cybersecurity tools many SMEs use to protect their operations mean they are the “weakest link”, and criminals can use this to exploit their connections to larger companies in the supply chain.
In 2019, it was estimated that one out of five SMEs had fallen victim to a ransomware attack. Phishing attacks have also reached their highest level in three years with small organisations receiving malicious emails at a higher rate. While SMEs are juggling a number of issues and priorities, they cannot afford to cheap out on cybersecurity.
The Perfect Storm: Covid-19
There’s a common assumption among small business owners that their company is too small to be targeted by a cyber-attack. Unfortunately, this is not the case. The pandemic has provided cybercriminals with an unprecedented opportunity to exploit confusion, uncertainty and hastily put together security measures as the workforces hastily pivot to remote working.
And with hundreds of millions of people around the world forced into managing sensitive data while working remotely, 2020 has proven to be a turning point in terms of attitudes to cybersecurity. Most technology and software systems were built to be accessed primarily on-site, so their security systems are geared accordingly.
But the shift to remote working has led to workers increasingly using personal devices to ensure business continuity and many communications are now taking place outside company firewalls on novel applications. This can significantly increase cybersecurity risks for SMEs as applications for remote working are often the target of malicious actors.
In 2020, there was a 400% increase in cyber fraud in the USA alone, with statistics reflecting that small businesses – and especially the sole traders, and self-employed – were the most vulnerable and while also lacking good access to relevant security services.
It goes without saying that the pandemic has strained the finances of most businesses and increasing investment into security can be difficult for SMEs at a time when many struggle to keep their cash flowing.
How Technology Can Help – if Used Strategically
There’s a number of simple things businesses can do to protect themselves by taking advantage of available technology. It is widely known that human error is the weakest link when it comes to cybersecurity, so the bigger challenge for companies is to prevent unauthorised access, hacking or fraud arising from multiple access points that now exist.
An achievable starting point is simply setting out a clear cybersecurity policy and ensuring everyone in the business is well aware of protocols and best practises. This would also involve establishing clear rules on how devices are used, how teams share documents and so on.
Tailored and controlled access can be another effective way of improving cybersecurity. By making this as granular as possible, senior managers can control the features their team members can access. If unauthorised access were to occur, it would make it easier for the security team to identify and address the source without the risk of system-wide contagion.
Any system needs to incorporate the latest security and encryption protocols, even if a business feels it is too small to be worth a cybercriminal’s time. This can include multi-channel two-factor authentication, four-eyes checks, a complete audit trail of all activity, continuous backups and much more. These protocols need to be reviewed thoroughly, tested, challenged, and updated regularly to ensure SMEs are less likely to become easy pickings.