Feature: Helping SMBs navigate the cyber security challenge

By Martin Simpson, principal at Node4 Security Practice.

There can be little doubt that the volume, scale and sophistication of cyber attacks is on the rise. According to the recent UK government’s Cyber security breach survey 2024 report, half of UK businesses experienced some sort of cyber security breach or attack in the past 12 months. But this number jumps to 70% of SMBs.

Typically cloud native and highly reliant on connected cloud services, SMBs often lack a solid understanding of best practice security processes and tools. This scenario is not helped by the fact that in-house security resources or know-how may be limited and an assumption that third-party cloud providers are managing cyber security on their behalf.

To overcome these challenges, business leaders must step back and evaluate where, how and why they are exposed to risk. Identifying these key focus areas can help guide SMBs to frame and understand their cyber security needs.

Understand the threat environment

No one can deny the disruptive impact of a cyber attack. In June 2024, a ransomware attack on Synnovis, a lab pathology service and integral part of the NHS supply chain, saw London hospitals cancel over 800 planned operations and 700 outpatient appointments. This is a clear example of how an attack on a SMB can have a ripple effect and cause a critical incident – six NHS trusts and scores of GP practices struggled to maintain patient services, which was exactly the aim of the Russian state sponsored actors behind the attack.

All organisations have to contend with a range of threat actors, from teenage hackers or hacktivists looking to promote their cause, to organised crime syndicates and sophisticated nation states. No one is safe and organisations of all sizes are possible targets, or have the potential to be collateral damage, regardless of whether hackers are motivated by financial gain, company sabotage or simply the thrill of the challenge.

Think beyond ransomware

Ransomware isn’t the only game in town. In some respects it’s an overt and visible threat – when you get hit by a ransomware attack you’ll know it because your data and systems will be locked.

More pernicious by far is the Advanced Persistent Threat (APT). Difficult to detect and capable of operating undiscovered for months or, in some cases, years, APT attacks seek out and steal information over time in a highly strategic and stealthy way. The only indications may be unusual activities on the network outside of normal working hours.

Get to grips with what you need to protect – and why

Rather than getting bogged down or intimidated by the plethora of cyber security technology options that are out there, start with a business-led assessment of the organisation’s risk and resilience profile. In other words, what’s most important to the business and why.

Every business – no matter how small – should apply the same mindset to thinking about cyber security needs. In summary this should include:

• Confidentiality – if we’re breached, what are the financial, regulatory and reputational impacts for the business?
• Integrity – what are the operational implications for the business if an attack results in our data being corrupted?
• Availability – if our people and our customers can’t our systems, what are the consequences for the business and how long can we survive?
• Pinpointing what’s most important to the business – and who might come after it and why (your IP, your high value client data, or your market reputation).

Armed with these insights any business can prioritise and position their ‘must have’ defences accordingly and prioritise efforts (and security budgets) in a proportionate way. In parallel, SMBs should also consider their resilience and recovery capabilities for other disruption triggers, the nature of the threat has evolved now to hybrid attacks combining virtual and physical attack vectors. This is compounded by the objectives of some nation states pivoting from disruption to destruction, a sinister evolution.

Revisit security priorities regularly – and consider the big picture

As SMBs evolve and grow, they’ll need to regularly review their business and operations focused security priorities. The aim here is to stay on top of the changing profile of products, people and services that need to be protected and adjust security strategies appropriately.

Over reliance on certification standards like Cyber Essentials and ISO 9001 is a misstep. While they do ensure that the security basics are covered, they do not make organisations inherently secure or prevent them from getting breached. SMBs must prioritise real cyber defences over collecting these badges that ‘certify’ them as protected.

Similarly, think through the required steps to avoid becoming collateral damage in the event of a major attack on any third party technologies and platforms the business is reliant on. Big name public cloud providers, for example, are prime hacker targets. Similarly, everyone knows that supply chain attacks can and do happen. No matter what agreements are in place with providers, ultimately SMBs remain accountable for their data and operational security.

The same applies to assuming that implementing security tools and products equates to ‘job done’. Sophisticated monitoring tools will be of little value if these aren’t integrated fully into the environment, or the volume of alerts generated means no one can see the wood for the trees.

Finally, the rapid rate at which attackers change their modus operandi means that, in addition to taking reasonable steps to bolster defences, SMBs must focus time and energy on preparing their response plan. That includes considering whether – should it happen – paying the ransom is an option.

Final thoughts

Whether you’re an SMB or an MSP that is helping one navigate the cyber security landscape, there are three golden rules for putting the right preparations in place:

• Understand what is important and mission critical to protect – who will come after what’s most valuable to the business and why?
• Don’t be intimidated – think of cyber security in terms of the likely potential causes of disruption, and how best to respond.
• Test, enhance and revisit the cyber security plan frequently.