Cybersecurity: How SMEs can protect themselves

Many SMEs assume they are not an attractive target for cyberattacks. Only eleven percent of Swiss SMEs see themselves as potential victims of an attack that puts their business out of action for at least one day (gfs-zürich, 2020).

Outdated operating systems

There are numerous security holes that an attacker can use to gain access to a corporate network. One example is ransomware attacks - a specific type of malware - which are particularly successful with outdated software and hardware. Manufacturers of software and hardware use patches and updates to close subsequently identified vulnerabilities that can be exploited for an attack. In the case of outdated products, such updates and patches are no longer available, so that gaps can no longer be closed. In a ransomware attack, attackers exploit existing vulnerabilities in their victim's operating systems and encrypt or steal the data to demand a ransom payment for decrypting the data or for not disclosing the previously stolen data. Especially in times of home offices, the mixing of private and professional networks becomes a problem when security gaps exist. This is because many employees use the often less secure private networks when they work from home. Attackers could thus gain access to the company systems and appropriate data.

Supply Chain Security

Another security gap that receives too little attention among SMEs today is the role of the supply chain in the company. Many SMEs rely on a number of suppliers and service providers to maintain their business. On the one hand, there is the possibility that the purchased products already contain vulnerabilities - so-called backdoors, for example. On the other hand, an attacker can use a poorly protected supplier to gain access to the customer company's network and compromise it. A data protection breach that occurs at a supplier also affects the customer company. The WLAN can represent a security gap in a company and be used as a gateway for malware or hacker attacks. It is therefore fundamental that companies encrypt their WLAN with a secure standard and use a separate WLAN for guests. Employees should not use a public WLAN, as this is susceptible to attacks and, in the worst case, company data can be siphoned off.

Man as a risk factor

Often, the problem of a successful attack or data loss is not a lack of technical measures. The intrusion into the systems is often only made possible by employees. People are therefore still the number one entry point for cyber attacks. In phishing e-mails - one of the most common types of social engineering - criminals try to obtain login data or credit card information from their victims using professionally designed e-mails. The attackers often use publicly available information of these persons, so that the e-mails appear personal and reputable. In phishing, the victim is redirected by means of a click to a fake website where sensitive information is requested. Sometimes, the data is also obtained directly from the attacker's trustworthy-looking email. It is also possible that the mail recipient installs malware by opening a file.

How SMEs can protect themselves

The first step to improved cybersecurity for any company is risk awareness of cyberattacks. Cybersecurity must be addressed at management level. Employees should be made aware of the dangers in the network with regular internal training and thus sensitized to the topic. To increase their cyber security, around half of SMEs are already working with an external service provider.

The smaller the SME, the more likely the measures will be implemented without external support (gfs-zürich, 2020). Together with the federal government and associations, Digitalswitzerland and SATW, as part of the National Strategy to Protect Switzerland from Cyber Risks (NCS), have developed a Quick test and a guide developed. These tools are primarily aimed at SMEs with little knowledge in the area of cybersecurity and allow them and external service providers to determine where they stand. They also show which are the most important measures for a minimum basic cybersecurity protection. The following compilation shows a selection of the most important protective measures.

Be prepared for an emergency

In the event of a cyber incident, proper preparation is central and determines whether and how quickly an SME can resume operations. A quick and adequate response can decisively reduce or even avoid damage. To this end, it is important that SMEs align their organization to these threats and define appropriate processes: Examples include regularly backing up the company's data, storing it physically separate from the systems, and checking that the data can be restored and read.

It is also recommended that an emergency plan be drawn up and that access rights be assigned selectively. Since the human factor is so important in cyber attacks, it is important that employees are aware of the current dangers, know how to handle the technical means and comply with the most important rules. SMEs should therefore anchor the sensitization of employees in everyday company life.

Likewise, for the best possible protection, it is recommended to use secure and different passwords for different applications, to use a password manager, and to use two-factor authentication for critical services. On the technical side, an up-to-date firewall helps to protect the computer from unauthorized access. Updated antivirus software keeps viruses, worms and Trojans off the system. Old devices for which software updates are no longer available should not be connected to the Internet. When working with suppliers or service providers, it is important to ensure that partners comply with minimum cybersecurity measures. This is the only way an SME can minimize the risk of being affected by an attack on a partner.

Source: SATW