Login to profile

SMEs need to assume they will be breached

29 January 2024. Article first published January 2024 on the Cyber Security Hub.

With rising cyberattacks on enterprises of all types, Nick Benson, CEO of CREST, argues that lack of understanding and access to effective cyber incident response is the most concerning cyber security weakness for SMEs. He urges them to start assuming they will be breached, instead of hoping that they won’t.

Unquestionably, cybersecurity is a critical and growing concern for organisations of all shapes and sizes worldwide. Some 43% of data breaches happen to SMEs, according to Accenture’s ninth annual Cost of Cybercrime Study. SMEs are also less likely to report or find beaches, so this figure may well be understated.

An update from the National Crime Agency to the UK Parliamentary commission on Ransomware in June 2023 reported that some ransomware groups “have moved away from CNI and looked to…small and medium-sized enterprises on the basis that they are less likely to have the weight of law enforcement and the intelligence community descend on them.” This issue has been compounded by the evolution of ‘ransomware as a service’, which is making it much easier for less technical operators to start carrying out attacks.

Losing money, damaging their reputation, exposing themselves to legal action and losing the trust of their customers are just a few of the impacts that an SME may suffer. Additionally, an SME has a much higher likelihood of going out of business as a result, for example if it leads to a cashflow issue. Some estimates attribute over 80% of small business failures to unexpected or unmanaged cash shortages.

In a UK government study conducted earlier this year, it was discovered that 26% of charities and 39% of businesses in the country had experienced cyber security assaults or breaches in the previous year. And this is just the ones that were reported.

While taking preventive measures is essential to safeguard against cyber threats, it’s also important to be aware that these steps frequently fall short. How well an organisation responds to an attack, specifically how well its incident response plans work, will determine how devastating (or not) the impact will be on the business — and ultimately whether it survives.

Nobody can predict if they will be a target. There are too many other factors affecting the risk, including the type and size of your organisation, the kind and degree of cyber security measures you have in place, and the frequency and level of sophistication of current cyberattacks. The effect they have, though, does depend significantly on the recovery and response plans you have in place. It may be much wiser for all organisations to anticipate that they will have a cyber breach, regardless of what it does or how big it is, and alongside its preventative measures, work on how to identify, contain, and recover from one.

Getting Incident Response right

The first step is to be aware of risks. To help identify assets, threats, vulnerabilities, impacts and controls, a cyber risk assessment should be conducted. Compiling a successful incident response strategy and putting a plan in writing that will work for your organisation can only be done after a cyber risk assessment is completed.

In simple terms, an incident response plan defines roles, duties, processes and guidelines for handling a cyber incident. An organisation could regret not having one even though it intends to never need one. Complacency is a serious risk, often actually heightened where cyber defences and good information security practices have been invested in. The phrase ‘it couldn’t happen to us’ is as much a warning signal as very low cyber security awareness.

For many organisations, especially SMEs, a good cyber incident response plan will require input from an external provider. It will also specify the use of an external incident response provider as part of the plans, sometimes dependent on the severity of the incident and often because of a lack of in-house resources in SME businesses.

Perhaps unsurprisingly, the UK Government’s 2022 Cyber Security Breaches Survey indicates that smaller firms have a harder time creating incident response plans and are therefore less prepared for a breach.

This is often down to a lack of internal expertise and capacity, along with an assumption it only happens to the bigger organisations.

External support is often needed – but choosing a provider is also a significant challenge. It is essential to be able to trust them and rely on them to have the knowledge and expertise your organisation needs.

This is partly why the UK’s NCSC has expanded its Cyber Incident Response (CIR) programme, in collaboration with delivery partners like CREST. The programme, which gives access to assured incident response specialists, now covers support for all organisations instead of only those of national significance, in recognition that every firm runs the risk of a costly breach.

When confronted with a cyberattack or data breach, an organisation can quickly follow the protocols and principles laid out in its incident response plan.  Following the plan helps an organisation detect, contain, analyse and recover from an incident. This way, it stands a chance of preventing or lessening the damage and impact of an incident.

The right service provider needs to be chosen to help SMEs put a clear plan in place and, if the need occurs, to implement it. Every organisation will greatly benefit from this, including faster response times and lower recovery costs, increased stakeholder communication, mitigation of any legal or regulatory repercussions and discovery and correction of the breach’s root causes.

And it is not just about the advantages if there is a breach; it may also increase customer, employee and investor trust in the company by showing it is ready in the event of a cyber attack.

Choosing the right service provider will undoubtedly make a big difference in how quickly and effectively an organisation handles a security breach. Some things to look for in a provider are experience and expertise, scope of services, litigation support and response time. External validation of these things is really valuable. Programmes like NCSC’s CIR Assured Service Provider and CHECK Scheme, as well as CREST’s corporate accreditation in Incident Response, Penetration Testing, and Threat Intelligence all help SMEs to select providers with confidence so that when the worst happens, they are ready for it.