Small and Medium-sized Enterprises (SMEs) often think they are not a target for cybercriminals. However, the truth is that SMEs are often targeted because they are seen as easier targets than larger companies. Statistics confirm this. Following an article published by Europe, “28% of European SMEs have experienced at least one type of cybercrime in 2021” [1].
SMEs and Cybercrime – mei 2022 – – Eurobarometer survey (europa.eu)
SMEs often have fewer resources to devote to security and may need to be made aware of the latest threats. However, big cybersecurity firms usually do not invest in SME-market because there are bigger fish to go after budget-wise.
To counter this, there are counts of initiatives to make SMEs more attractive to these cybersecurity firms. In Flanders, VLAIO created the cybersecurity improvement trajectory. This measure helps Flemish SMEs and bespoke companies to improve their cybersecurity sustainably. An approved service provider aspires to strengthen a company’s cybersecurity during such a trajectory.
More information can be found at: Cybersecurity subsidies | VLAIO
Another known setback to SMEs in their search to implement cybersecurity is that if they hire a company, most advice is not tailored. These pieces of advice do not keep the revenue nor the return on investment (ROI) for that particular SME in mind and suggest a Rolls Roys to an SME that can never afford it.
Luckily, this blog post will briefly touch on ‘quick wins’ for most SMEs, hoping we can provide them some direction in this way. Implementing the following security measures will significantly aid most SMEs’ security posture.
Front door security
These days, each SME has its digital footprint, ranging from the company website to business-specific applications. That digital footprint should be protected as much as possible. Each service exposed to the public internet serves as another ‘Front door’. The more front doors available to an attacker, the larger the ‘attack surface’, and the easier it gets to find a way in, as each front door requires a lot of work to maintain a decent security state. Therefore, it is vital to overthink whether each publicly exposed service needs to be publicly exposed. For example, if it is only used by internal employees, it might be a good practice to put these services behind a VPN.
Some services, such as a VPN portal, must be exposed to the internet. For these services, it is recommended to implement Multi-Factor Authentication.
More information on this topic can be found in a previous blog post: What is 2-Factor authentication and how to implement it safely – the Security Factory
Human security
Each employee is a ‘Front door’ in itself. The human component remains, year after year, the biggest threat to companies. A common attack strategy of malicious actors is phishing. This is due to low effort to execute and high reward if successful. As this trend keeps rising, it is essential to enhance the security awareness of your employees around phishing.
The effectiveness of phishing is also noticed in our ‘Red Team’ engagements. An earlier blog post goes more in-depth on a red team scenario we encountered: Red teaming use case – the Security Factory.
At the Security Factory, we help our clients achieve a higher awareness of phishing. For more information on this service, please visit the following website: Ethical Hacking & Penetration Testing – The Security Factory.
Not only does phishing rely on the human component. Another way-in for a malicious actor can be the physical component. Can someone get unnoticed, unauthorized, into your building? Often, at the Security Factory, we perform these kinds of physical engagements. The success rate dazzles us. If you want to hear more on this topic, earlier, we released a writeup of a day in the life of a social engineer: A day in the life of a social engineer – the Security Factory.
Internal security
If an externally exposed service is abused, a user gets phished, or someone can walk into the building and connect to the network, it is not over. This scenario is where internal security becomes paramount. Using a strong EDR/XDR tool can prevent much damage from this point of view. Next to a robust EDR/XDR tool, it is vital to have proper monitoring and alerting. The sooner it is known that something is wrong within the company network, the sooner action can be taken.
Furthermore, general good security hygiene will also limit an attacker’s options. To achieve this, the following actions are a great starting point:
- implement powerful password management (Password security: top tips – the Security Factory)
- use the least privilege principle
- keep your software up-to-date with the latest security patches
What if things go wrong?
What if things go wrong? Yes, that is still possible, even with the measures mentioned above! Don’t wait for things to get bad; prepare yourself for a major cyber attack by creating a thorough Business Continuity Plan (BCP) and Business Recovery Plan (BRP).
BCP involves creating a comprehensive strategy to ensure essential business functions can continue or quickly resume during a disruption or disaster. It encompasses a range of proactive measures designed to keep operations running smoothly, even in the face of unforeseen challenges.
BRP focuses on restoring critical IT systems and data after a disaster or significant disruption. It’s the blueprint for getting back on track swiftly and efficiently.
