The pandemic has changed the cybersecurity landscape, triggering dynamics that suddenly increased the risk of cyber threats for organisations that have adopted a hybrid work model. Now businesses are having to play catch-up with cybercriminals that were quick to adapt and exploit new weaknesses and opportunities. This is especially prevalent for owners and operators of small and medium enterprises (SMEs) who often lack the resources and skills needed to mitigate threats effectively.
According to a recent study conducted by Forrester, and commissioned by Tenable, a staggering 92 per cent of Australian organisations experienced a business-impacting cyberattack in the past year. While the future still holds some uncertainty as we approach 2022 there isn’t a shadow of a doubt that cyberattacks will keep on growing in frequency and sophistication, and that SMEs will continue to be targeted.
SMEs, an easy prey
Media coverage of large-scale cyberattacks or data breaches often fuel the perception that these threats are faced predominantly by large companies, but the reality is that SMEs are most frequently the primary targets of cybercrime. In fact, the FY21 report from the Australian Cyber Security Centre shows that medium-sized businesses paid the highest price from cyberattacks in the past financial year.
Cybercriminals know that SMEs are generally less prepared against cyberattacks than large organisations, especially after a lengthy pandemic, which has in many ways weakened their resources and defences. The fact that 60% of small business owners went out of business within six months of a cyber breach shows the devastating impact of such attacks. It is therefore imperative that SMEs make cybersecurity a priority in 2022.
What fueled the fire?
When it comes to cybercrime, two key factors have fueled the fire: the widespread adoption of remote work, and the accelerated—sometimes rushed—rollout of digital and cloud technologies to ensure business continuity.
Whilst remote work is a welcome change, it poses new threats for businesses. Before the Covid-19 pandemic, the office was often the only perimeter SMEs had to monitor and secure. Today, each remote worker’s personal device or home network is a gateway to company systems if they are not properly secured. And with many companies lacking control and visibility on employee home networks and connected devices, attacks on remote workers have become a leading cybersecurity threat facing businesses today with almost three in four attacks (73 per cent) in Australia targeting the home worker in the last 12 months.
Employees also display risky behaviours, usually due to a lack of education and guidance about cyber hygiene. Only 29 per cent of Australian remote workers admit they strictly follow their organisation’s security guidelines, and many said they have accessed financial records (43 per cent) and customer data (51 per cent) from personal devices.
In addition, most SMEs had to rush to adopt cloud and digital solutions to ensure business continuity, prioritising speed, and often overlooked security, which had a disastrous impact. Indeed, 70 per cent of cyberattacks that occurred in the past year came from vulnerabilities in systems implemented in response to the pandemic.
What can SMEs do to stay safe?
Fortunately, smaller businesses have the advantage of being more nimble and can improve their cybersecurity standards and practices much faster than larger organisations.
Vendor vetting: Selecting a new cloud solution, software or technical partner should include a stringent vetting of their security practices and how they will access company assets. This goes for Managed Security System Providers (MSSP) that SMEs are increasingly using when they can’t afford in-house security experts.
Increased visibility: SMEs need the tools and procedures allowing them to monitor both the whole threat surface in a hybrid configuration and potential risks from software vulnerabilities and misconfigurations. This will help prioritise patching and detect and act on risky patterns among a hybrid workforce.
Zero Trust: Zero Trust security models have become more relevant during the pandemic as remote working became the norm. The idea is to monitor and identify each user or connected device interacting with the company network and put an emphasis on stronger authentication practices such as systematic multi-factor authentication, and better access management, where users and devices only get access to the company data and resources they need to fulfill their tasks, as opposed to the whole company system. A Zero Trust model focuses on the need to verify every attempt to request access data at all levels. Without this level of security, visibility, and segmentation, attackers can leverage vulnerabilities in the environment, move laterally, and infect other assets.
Employee education: Finally, a stronger security posture can’t be achieved without enhancing employee education and compliance. The odd email from the IT department or MSSP with cybersecurity instructions is not enough. There should be a proper training program in place, backed and driven not only by IT but also by business and HR leaders to hammer home the criticality of good cybersecurity practices. Whilst these strategies, combined with the government’s Essential Eight framework, should serve as a good starting point for many SMEs, every business is at a different stage of its cybersecurity journey. With the world of work changing so rapidly, all businesses aiming to bolster their cybersecurity in 2022 should conduct a risk assessment and re-evaluate their cybersecurity strategies. With the right systems and processes in place, Australian business leaders can ensure the safety of their employees, customers and their business in a shifting threat landscape.