Large companies aren’t the only ones hackers hit—far from it. According to a 2019 Verizon study, 43% of cyberattack victims are small and medium-sized businesses, and this statistic has only increased since the Covid-19-related surge in remote work. This puts company networks even more at risk.
Early 2021 is an ideal time to review the cybersecurity challenges facing SMEs.
What are the main threats, and where do they come from? What actions should be taken to protect against them? What benefits can be expected from an effective cybersecurity approach?
To address these questions, we talked with two professionals particularly concerned about these challenges:
- Laurent Hausermann, IoT Security Engineering Director at Cisco
- Winoc Coppens, Information Systems Director for French media outlet 20 Minutes
In this interview, they give us their analysis of the main cyber risks facing SMEs in 2021, as well as their key advice on how to fight cyberattacks.
The main cyber risks in 2021 for SMEs
In 2020, teleworking and the growth of BYOD (Bring Your Own Device, or the use of one’s personal equipment in a professional context) have encouraged and accelerated cyberattacks. According to a Proofpoint study, 9 out of 10 French companies were victims of cyberattacks during the last calendar year.
Three types of attacks target SMEs in particular:
For Winoc Coppens, the first threat for SMEs is malware and ransomware.
Malware includes “viruses that encrypt data, preventing employees (or even entire companies) from accessing files.” It’s one of the “simplest” attacks for hackers, who “fish for big bucks” by sending a corrupt message to a set of email addresses—with hopes that at least one recipient will open it on his or her workstation.
In short, it consists of “taking the company’s data hostage, and then demanding a ransom [hence the name ransomware] to unblock access to it,” explains Laurent Hausermann.
“In this type of attack, attackers always operate in the same ways:
- The attacker identifies an initial distribution point such as an email with malicious links sent to employees.
- After the recipient clicks the link in the email, the malware is automatically installed on the employee’s computer—or even on the company’s server.
- We often observe a phase of lateral displacement where ransomware replicates itself very quickly from one server to another. By the end of its propagation, the company’s entire IT system is locked down.”
Once the data is blocked, the hackers return to the company to demand money in exchange for decrypting/unlocking the data. This is a classic racketeering practice that has continued to evolve with the digital economy.
Denial of Service (DDoS) attacks
DDoS attacks, or denial of service attacks, consist in “making a web site or service inaccessible by creating a massive influx of traffic that cripples the server,” explains Winoc Coppens.
Except for SMEs whose business is selling products or services online, these attacks are less common than malware and ransomware, and don’t often wreak as much havoc.
More difficult to detect, internal threats come from anyone who has access to your company’s sensitive data. These can include employees, suppliers, partners, and even former employees.
These threats can be unintentional and linked to an accident or negligence on the part of a user, which happens most often. They can also be malicious, with an intent of harming the company.
“The ‘classic’ move, which happens from time to time, is that of a former or even current employee who’s frustrated by his or her fate, and comes back to connect and delete files,” warns Laurent Hausermann.
Key actions to take
To anticipate these various risks, Laurent Hausermann believes that the IT department must devote significant and proactive efforts to put in place both tools and preventive actions. The order of thought? The IT department has to spend “around 10% of its total IT budget:”
Basic rules of IT hygiene
For Cisco’s Director of Engineering and IoT Security, “the priority for SMEs is implementing basic rules of IT hygiene,” like:
- regular backups
- subscription to a cyber insurance policy, “which will allow you guidance from a specialist in case of an attack.”
- implementation of a policy for regular system updates
- implementation of a password management policy
- deployment of antivirus software
- conducting an annual safety audit
These IT hygiene practices are already an important bulwark against many risks (as recently pointed out by the CISA Cybersecurity & Infrastructure Security Agency, an entity dedicated to cybersecurity and reliant on the US government).
Securing remote access
Then it needs to “secure access to data and cloud platforms remotely”—especially with the proliferation of teleworking and access to remote services.
For this, Laurent Hausermann outlines several good practices:
- Set up a secure VPN.
- Review remote access management and regularly update the list of users who can access company resources to fight against internal threats.
- Use a two-factor authentication system, which allows the identity of the employee to be verified in two steps (via PC and cell phone).
- Implement mobile device management (MDM) solutions to remotely erase data in case of loss or theft of the device.
Such is the spirit of the Zero Trust approach now favored by experts.
Winoc Coppens also stresses the importance of “segmenting the network,” or dividing companies’ applications and infrastructure into different segments to contain cyberattacks and prevent them from spreading to other areas.
“The idea is to choose several modules and solutions and install them on different systems or servers. It’s well known that you shouldn’t put all your eggs in the same basket.”
Another alternative to reduce attack surfaces is to “limit the emails exchanged on a daily basis—especially internally.” Adopting a collaborative platform will allow you to exchange information live on a team chat, thus reducing internal email flows… and therefore the danger.
Awareness and training
Finally, and most importantly, users must be regularly trained and made aware of the risks and good security practices. This is an essential step in making them aware of their role and getting them to adopt the right reflexes.
To accomplish this, companies can “organize quarterly informational meetings on cybersecurity risks and make some of them mandatory,” proposes Laurent Hausermann.
The goal is to empower users.
“At 20 Minutes, we invite employees to apply the same best practices in their professional and personal spheres. The challenge of this awareness is that they end up seeing these precautions not as constraints but as reflexes that are in their own interest,” explains Winoc Coppens.
To develop these training sessions, the company can rely on numerous online resources. For example, “ANSSI offers webinars and documentation on its website that are very useful for CIOs,” says Winoc Coppens.
There are several platforms for training. Laurent Hausermann mentions in particular the NetAcad program from Cisco, which offers online courses to develop computer skills. For the cybersecurity expert, “It’s important to offer this training opportunity to employees because— through knowledge and skills—they’ll be able to identify the cyber threats that surround them.”
“Another good practice is to join a CIO club” in order to exchange on the best solutions to implement and share feedback with peers.
Benefits of an effective cybersecurity policy
According to the same two professionals, putting these steps in action offers SMEs two important advantages:
A challenge of sustainability
“A company that has implemented several good cybersecurity practices gives itself a better chance of survival in the face of an attack,” says Laurent Hausermann. Indeed, some companies do not recover from such attacks, or if they’re already fragile, this can be their final blow (as happened to lingerie brand Lise Charmel in 2020).
However, still too few companies are taking the necessary steps. According to the National Cybersecurity Alliance, 60 percent of small and medium sized businesses that are victims of a cyberattack go bankrupt after six months, demonstrating their vulnerability to an unforeseen event.
A competitive advantage
“Having an effective cybersecurity policy can also be a competitiveness factor for the SME, because it reassures not only customers and partners but also employees,” explains Winoc Coppens.
Indeed, decision-makers are demanding more and more guarantees from partners or subcontracting companies. They will have more confidence in an SME that pays particular attention to the security of its data, and will be more likely to work with it.
In the future, Laurent Hausermann believes “governments and large companies will bolster IT security requirements in their tender offers and will require their suppliers to comply with these criteria.”
In 2021, CIOs and IT managers in French SMEs will need to double their efforts to effectively protect their companies from various cybersecurity threats. In addition to strengthening infrastructures, awareness and training will also be essential. This is a major challenge for IT and Human Resources departments alike.
Want to find out more about good cybersecurity practices and the tools to be implemented in a hybrid work context combining remote and onsite work? Read our white paper “Future of Work: Make Way for Hybrid Work.”
Access White Paper
In our white paper “The Future of Work: Make Way for Hybrid Work!” you’ll discover the eight main challenges of hybrid work; best practices that managers, HR, internal communication, IT, and employees all can adopt; and the tools for facilitating hybrid work.
Author: Emmanuelle Abensur