How SMEs can stay secure
Amid tight deadlines and tighter budgets, entrepreneurs can easily overlook IT security, say experts
“The most common error is thinking it won’t happen to you,” Chester Wisniewski, Principal Research Scientist at Sophos, tells GN Focus . He says the belief that only large organisations are targets for cybercriminals is dangerous — anyone with money or personal data is a mark. “In fact, if you are small, you are likely to have less sophisticated defences.”
Small to medium-sized enterprises (SMEs) are most commonly hit by destructive or servicelimiting attacks, says Stuart Davis, Director for the Middle East and Africa at Mandiant. “Destructive attacks usually manifest as cryptolocker viruses while service-limiting attacks are seen in the form of DoS [denial of service].”
Even worse, SMEs are often a route to bigger targets: their clients. “A lot of SMEs in the UAE serve larger customers. There are quite a few large banks in the region that outsource some of their services to SMEs, for example, loyalty programmes,” says Husam Sidani, Symantec’s Regional Manager for the Gulf.
Smaller companies may not often see commercial sense in investing in the same level of protection as big ones. “Cyberattackers know this. They target big organisations by going through SMEs. A major mistake SMEs make is only looking at protecting their own four walls.”
Even if the damage sustained in an attack isn’t fatal, the effect on a fledgling brand could be. In a 2016 survey of 1,000 UAE residents by FireEye, which owns Mandiant, 46 per cent of respondents felt more negatively about an organisation that had been breached — and 78 per cent stated they would be less willing to provide personal information than before to such a company.
FireEye data shows that GCC industries targeted in 2016 included prepaid online and mobile payment systems, which were then used to purchase goods and services for money laundering purposes.
“Ransomware is one of, if not the biggest, threat today facing SMEs globally and regionally,” says Jon Clay, Director of Global Threat Communications at Trend Micro. “For the UAE, we’ve also seen spam and malicious websites being some of the top threats.”
Sidani is clear about the source of most exploits: “Eighty-two per cent of attacks start with an email.” A newer source of threats, according to FireEye, is macro malware found when certain Microsoft Office documents contain malicious code.
For threat prevention, Clay recommends a security-bydesign development process for SME software providers that protects data with encryption and two-factor authentication. Sidani says it’s crucial to invest in email protection and ensure all data stored in the cloud is secure. Davis says safe Wi-Fi encryption protocols and VPN are a must, as is changing passwords on a monthly basis with adequate complexity standards. Wisniewski advises SMEs to spend on stringent testing of system security protocols while ensuring all data is backed up. He also urges SMEs not to be greedy with customer data: “Only collect data you truly need — it’s difficult to steal what you don’t have.”