Cyber risks in SMEs: how to prevent them?
A new guide to raise awareness among SMEs about cyber risks and define some simple guidelines that allow them to prevent and mitigate a cyber incident, as well as recover from its consequences should they suffer it.
All companies, regardless of their size, are exposed to cyber risks . It is enough for an employee to receive an email and open the attached document or click on a suggested link to unleash chaos. Without him knowing, that seemingly harmless e-mail contains malicious software that will block your device, preventing you from accessing the data and information stored in it. And what’s worse: cybercriminals will demand the payment of a ransom to the organization so that it can return to normal.
The exposed is a case of ransomware, one of the most used resources by cybercrime. As an example of the activity of the latter, the SonicWall Annual Report of Cyber Threats 2018 shows that this American firm detected 184 million ransomware attacks in 2017, year in which it also identified 932,000 million malware attacks and discovered more of 12,500 new vulnerabilities.
And another sign of the relevance of cybercrime is the cost it has for companies. In this sense, some studies estimate that it is half a million euros, a figure equivalent to 0.8% of world GDP, and experts say that this activity already moves more money than drug trafficking.
Something not surprising if you take into account that cybercriminals benefit from the lack of international regulation on the Internet, the ease of moving through the latter without leaving traces and, not least, the naivety and lack of security measures of many users of the Network.
Cyber risks for SMEs: new reference guide
In view of this scenario, and with the aim of helping to prevent and manage the risks of cybernetic origin among small and medium enterprises (SMEs), the association Cepreven , the Spanish Confederation of Small and Medium Enterprises (Cepyme) and the Union Spanish Insurance and Reinsurance Companies (Unespa) have developed the guide “Cyber risks: its impact on SMEs. Prevent, mitigate, recover . ”
This new volume includes a series of good practices that will allow companies to know how they can face cyber risks, protect themselves from cyber-incidents, minimize their impact and recover information that may have been damaged. In short, the guide will be of great help to ensure the continuity of the operations of an SME – such as, for example, an insurance brokerage – after suffering a cyber attack.
How can we protect our SME?
According to the guide, an SME’s cybersecurity policy must be based on three fundamental pillars: human and organizational factors, protection tools and resilience through resilience tools.
Human and organizational factors:
- In the case of the first, at the beginning of this post it has become clear that the human being is the weakest link in the chain of security. For this reason, the staff of an SME must be aware of the application of standards and good practices.
- For physical and remote access to the devices, individual, secret and robust (complex) passwords must be used. And, in addition, it is advisable to change them regularly.
- Related to the previous point, passwords should not be left visible in the workplace (for example, annotated in a post-it pasted on the computer or the monitor).
- Fixed, temporary or trainees should be regularly reminded to avoid the use of personal devices (USB or external hard drives) and unprotected remote or mobile access (Wi-Fi, Bluetooth, etc.).
- And a policy of secure use of electronic mail has to be established to, among others, prevent ransomware cases.
Cyber protection tools:
- Antiviruses and firewalls are the basis of protection of information systems and must be updated regularly.
- In addition, they must be complemented with filtering tools such as intrusion detection (IDS) and intrusion protection (IPS) systems.
- And malicious intrusions not blocked by the latter can be detected with the tools of behavior detection such as downloads analysis or other suspicious actions.
- In order to return to normal as soon as possible after suffering a cyber attack, it is necessary to carry out a correct policy of backup copies. Among other actions, it is recommended that they be carried out daily in independent media to the information systems of the SME.
- And to be resilient, a company also has to implement an incident response and business continuity plan .
What types of insurance exist for SMEs?
In addition to all the measures mentioned, the guide “Cyber risks: its impact on SMEs. Prevent, mitigate, “recover also notes that there are different types of insurance to protect the assets and assets of a company. And among them are cybersecurity , whose coverage we have already covered in the blog of Xenasegur and whose aim is to provide protection against a wide range of incidents derived from the risks in cyberspace, the use of technological infrastructures and the activities developed in said environment.
Likewise, the aforementioned guide recommends, it is very important to have civil liability insurance that, in the event of an attack or cybernetic incident, covers third-party liability in terms of privacy. Regarding the latter, we recall that the new General Data Protection Regulation (RGPD) urges organizations to apply proactive liability and tighten fines for non-compliance.
What to do in case of suffering a cyber attack?
Since we have referred to the RGPD, mediation SMEs must keep in mind that a cybernetic incident can be considered a security breach. For those who are not familiar with the privacy legislation, from the Spanish Agency for Data Protection (AEPD) remember that:
- “Security breach or breach of the security of personal data is understood to be any incident of security that causes the accidental or unlawful destruction, loss or alteration of personal data transmitted, conserved or otherwise processed, or communication or access not authorized to said data “.
Therefore, unless the professional data protection expert working in or collaborating with an SME considers that it does not constitute a risk to the rights and freedoms of natural persons, the security breaches must be notified to the authority competent control – in Spain, the AEPD – within a maximum period of 72 hours. Also, if the security breach entails a high risk for the rights and freedoms of the owners of the data, it will also have to be communicated to those affected. Failing to report a security breach can be considered a serious infraction that entails extremely high administrative fines.
Decalogue of good cybersecurity practices
Finally, far from being content with the development of the guide “Cyber risks: its impact on SMEs. Prevent, mitigate and recover “, Cepreven, Cepyme and Unespa have complemented this volume with the ” Decalogue of good practices of cybersecurity for SMEs ” . It is a very useful tool that includes indications of help to protect a business from attacks and cyber incidents without having to make large investments.