Cyber-threats to SMEs: myths vs the truth

By Andrew Morris 9 October 2016

Are you sticking your head in the sand when it comes to protecting your company against cyber-threats? If so, you’re not alone. Many SMEs struggle with security due to knowledge, staffing and budget constraints. But false beliefs, like “hackers only target big companies”, are putting many at risk.

There are many cyber-security myths that undermine the realities, and believing “it's unlikely” is a dangerous thought. You don't have to look far to see reports of data breaches and cyber-security incidents – and they are not all about big businesses. For example, small business owner Rick Snow, of Maine Indoor Karting in the US, fell victim to a phishing email where the cyber-criminal got access to the business’s bank account.

So what’s the truth when it comes to cyber-threats? Robert Half spoke with Arno Brok, CEO AISA (Australian Information Security Association), about some of the common myths versus reality.

Myth 1. “Software is safe”

SMEs are far more reliant on IT than they used to be, according to Brok. Ten years ago they may have been largely print based, but now they’re fully reliant on software such as accounting software Mind Your Own Business (MYOB).

“SMEs face plenty of risks already,” Brok says. “Normal operational risks, financial risks, health and safety risks. They tend to steer away from more risk, try to ignore it and not spend much time on it. So this leads to cases where systems end up running outdated software. For example, they’re still running Windows XP and using apps that are integral to their business operations but are never updated.”

This creates a big opportunity for cyber-criminals, as technology needs to be regularly updated to keep pace with cyber-threats.

Myth 2. “We’re too small to be a target”

Although the perception is that cyber-criminals only target big companies like banks, the reality is that they continually scan the entire internet looking for ‘open doors’.

Your company may not be specifically targeted by hackers, but they use automated tools and it’s only when they break in that they see whether there are 10 or 10,000 computers.

However, they can also be interested in who you’re connected to. Brok notes that recent attacks on the Australian Bureau of Meteorology may have been due to its connections with airports, defence and other organisations that receive constant streams of data. “It’s a trusted link so they could potentially get into those other systems,” he says.

Myth 3. “We don’t need to talk about cyber-threats”

Another problem is that cyber-security is a very young industry. People are used to fire safety and anti-theft measures, as well as insuring against these, but not so much when it comes to cyber-threats.

“I ask SMEs: when did you do your last fire drill? Most will have done one in the last six months. Then I ask: when did you do your last cyber-drill? Many will have no idea what that actually means or never carried out this exercise. We need to get to the point where businesses have emergency plans and can execute regular cyber-drills.

“No one would light a piece of paper in the office, as they’d know that alarms would go off. But when they download a piece of software no alarm goes off, so we should link it to sprinkler systems.” Creating a basic awareness of company security procedures among staff is essential to protect your company from being hacked.

Myth 4. “Cyber-security is expensive”

It’s true that there’s no such thing as a silver bullet for all cyber-threats. You need to employ a range of tools and weapons. Brok says that a large bank may use a hundred or more different security vendors to protect its assets.

But there are ways to protect yourself on a smaller budget, Brok says. If you prepare in advance by carefully considering all your potential risk, you can also keep the costs of support down.

If you can’t afford to have every latest protection installed, at least turn on your firewall and use some kind of antivirus software. Being protected against 25 per cent of threats is still better than nothing.

Myth 5. “A cyber-security strategy only needs a technical response”

Because companies are confronted with additional cyber-threats and security concerns, including mobile, application and Big Data analytics security, specialised IT security skills are in higher demand. These skills revolve around security prevention, intrusion, access and identity control, and malware protection.

Just as businesses are constantly transforming themselves with new technology, so are cyber-criminals. David Jones, Senior Managing Director at Robert Half Asia Pacific explains: “In order to successfully confront a proliferating breed of cyber-attackers, companies need skilled IT talent who understand the current and evolving cyber-threat environment. With a robust strategy in place, companies will be prepared for the future of cyber-security.”

While having in-house IT security experts is preferable, businesses are changing their hiring strategies to have a mixed workforce of permanent and contract specialists, including external risk consultancies.

The solution demands a resilient IT security strategy that includes a technical response as well as ‘the human component’.

Brok offers five simple tips to help an SME improve their security.

  • Make your employees aware: Companies should talk about security issues so that staff know about the risks to avoid human error. Ensure that any personal mobile devices connected to company networks are secure and use PINs. This includes cloud security.
  • Make sure you back up regularly: Even if you only back up once a week, the most you’ll lose is seven days of company data.
  • Secure your backups: Make sure your device is disconnected from your network when completed, and stored in a safe location.
  • Make sure software is fully updated and meets legal requirements: Old apps and operating systems won’t protect you against the latest viruses. Many SMEs also own outdated versions of software that can’t be patched.
  • Have a plan: Getting attacked is no longer a matter of 'if' but 'when'. Company directors need to sit together and consider "what if we got compromised?" put a plan in place for when that happens and ensure it’s tested.

Even if you think your business is safe, you may have already been breached.

“In the early days of hacking, it was about defacing a website and taking your systems down, all in one go,” Brok says. “Now it’s a trickle as hackers steal company information over time, so you may not see gigabytes of data suddenly being transferred. The average intrusion detection is around 220 days, meaning they’ve already been in your systems for the best part of a year.”

Before jumping to conclusions, companies – from large to small – need to think carefully about IT security trends and whether their company is up to scratch in this day and age against cyber-threats.

To ensure your company is up-to-date against cyber-threats, download Robert Half's Cyber-Security Report for top advice about what you should prepare for.

More From the Blog...