5 Cyber tips for SMEs

Cybersecurity specialist Tony Jarvis offers a five-step plan for business owners to boost their cyber resilience in 2022.

Since the start of the pandemic, New Zealand has seen a 15 percent increase in cyber-attacks, with the New Zealand Cyber Security Centre (NCSC) reporting that the focus of these attacks have been on nationally significant organisations. With this threat in mind, and the growing innovative nature of threat actors, it’s high time for New Zealand businesses to examine their cyber-security posture.

Specifically, I want to offer some tips for small and midsize businesses across New Zealand. I began my career in cyber security two decades ago, initially working for Telstra. Since then, I have worked as a CISO advisor and cybersecurity strategist advising Fortune 500 clients across the world on how to defend themselves against the most sophisticated threats in the wild. I can safely say – we have entered a new era of cyber threat.

If it were measured as a country, cybercrime would be the world’s third-largest economy after the US and China. Mid-size businesses are often considered a soft underbelly for cybercriminals. A common misconception exists among cybercriminals that mid-size businesses do too little to strengthen their cybersecurity, which makes them an appealing target. But the reality is, they are often targeted as a thoroughfare to higher-value targets, critical systems, and highly classified information. Most are planning to make, or have already begun making, the sweeping, technology-driven organisational changes that define a digital transformation, and a growing majority say these adjustments will soon be essential to their competitiveness.

But the cyber challenge faced by midsize businesses is multi-faceted. They are often under-resourced and are particularly affected by a global cyber-skills shortage. Small, or non-existent, security teams are tasked with defending the business from the full range of cyber threats — from sophisticated, novel, and targeted campaigns to very fast moving ‘smash-and-grab’ attacks — while managing an increasingly distributed workforce and complex digital infrastructure. The challenge extends beyond adequate resources — the threats these organisations face are too fast or too stealthy for humans to contend with and the number of new avenues for hackers to gain entry is growing at a rate too rapid for security teams to monitor.

This complexity can make the task at hand seem overwhelming for SMEs but there are some simple resolutions they can take to boost their cyber resilience.

1. Accept that we will never be able to stop breaches

First, SMEs need to subscribe to a new philosophy. If the recently exposed widespread vulnerability Log4j taught us anything, it’s that trying to stop 100 percent of attackers from getting into our systems is futile. 

Traditional security solutions like firewalls try to stop attackers from penetrating the system by identifying threats based on historical attacks. They categorise known attacks as “bad” and guard against them on this basis — commonly known as the “rules and signatures” approach. However, what we’ve learned over the last decade is that simply trying to stop attackers getting onto systems is only effective for low-level attacks. It doesn’t work for the advanced attacks (like those exploiting the Log4J vulnerability) that these businesses now face.

Instead, business leaders must contain attacks quickly and minimise disruption so that the organisation isn’t negatively impacted. Accepting that attacks will get in is not accepting failure. It is the reality of being a mobile, global, and interconnected business.

2. Think beyond detection – it’s no longer enough

Once an attacker has gained a foothold within an organisation, it is vital that the security team continuously monitor abnormal behaviour to detect the breadcrumbs of emerging attacks. But there’s a real risk associated with placing too much emphasis on detection. Any cyber security solution that simply alerts IT teams to the presence of attackers does not resolve the problem of hackers moving at speed through a digital estate, leveraging AI-driven attacks, or the problem of security teams being out of the office and unable to respond quickly enough to triage and quarantine infected devices. With security teams coming up against increasingly sophisticated attacks, companies need solutions that can detect and respond almost simultaneously. In the midst of a cyberattack, every second counts and detection alone can’t put a stop to the damage wreaked by hackers.

3. Create a culture of security

For larger companies – CEOs and C-level executives should be vocal about the importance of cyber security across the business, and all departments should know what their responsibilities are and know that cyber security is relevant to them. The Board should be briefed regularly on cyber security and security providers should be involved in this process. Ideally, the CISO should be part of the top management team. If not, key personnel within the security team should give regular briefings to the management team on how the business is responding to cyber threats.

4. Do more with less
You don’t need every security solution ever created. Often, adding more to the mix just complicates matters further. Staff need to be trained in each of the tools, integration between disparate solutions can be challenging, and resources only stretch so far. Putting the basics in place is a great start, and an additional set of eyes that monitors whether these tools have let anything slip through the gaps can make all the difference in an approach known as “multi-layered security”. You may stand to gain more by putting in place a tool that checks whether your existing solutions are doing their job, rather than an entirely new system that provides marginal benefits at best and will only stretch your already strained resources even further.

5. Pay attention to the supply chain

The NCSC reports that attackers targeting larger organisations with strong cyber defences tend to turn their attention to alternative paths, such as weakly defended service providers who have access to their target’s systems.

Supply chain attacks can be some of the hardest to mitigate, but a few best practices are a must here. These include doing the due diligence before providing access to third party vendors. Such access should only allow the bare minimum required in order to do the job, or in other words, follow the principal of least privilege. Where possible, try to minimise the number of third parties connecting into the network to reduce the potential entry points. Assess supplier and vendor security when deciding whether to work with a company. Examine whether they have external certifications that verify they take security seriously. Be open with them about this being a factor in decision making around whether to award contracts. You are only as strong as your weakest link.

In 2022’s cyber threat landscape, being breached by hackers is all but inevitable. While there is no shame in hackers gaining access to your digital estate, allowing them to cause long term disruption and damage is unacceptable to many SMEs, and fundamentally avoidable. Taking time to examine your business’s cyber-resilience could well save you a lot of trouble down the line.

Tony Jarvis (pictured) is Director of Enterprise Security at Darktrace.