The number of cyber attacks continues to rise. Several studies report a 20% annual increase in the number of incidents. Although hacks and ransomware attacks on large companies are attracting the most attention, small and medium-sized enterprises are not left out of the picture either. "Does size matter?" With those - and many other - questions, we turned to Fons Quidousse, a technical cybersecurity & network consultant at Simac.
In an Accenture survey, we read that 43% of cyber-attacks are directed against small- and medium-sized businesses. Is that a figure that surprises you?
Fons: In itself, it doesn't surprise me. Not all hackers have the same modus operandi. Some conduct precision attacks on a single target, while others shoot indiscriminately at a large number of targets hoping to get many hits. In the end, they may both achieve the same result, financially speaking. Looking at the Belgian level, perhaps all companies fall under the heading of small and medium-sized. And effectively, Belgian companies are not spared when it comes to cyber terror either.
Better security at large companies
Do you think larger companies are better protected against attacks?
Fons: They don't have much choice, I think. Although anyone can be a target, large companies are more aware that they are an eye-catching target. So they will cover themselves better against attacks. They are also more likely to take an insurance against cyber-attacks, for example. That has an amplifying effect because insurance companies don't just give away their insurances. They will demand guarantees that the security is completely in order and the risk is minimal. Furthermore, large companies are working more often with other companies that impose certain requirements from the perspective of ISO certification. And governments are also tightening security. For example, the European Community's NIS 2 directive expands the number of sectors that must meet minimum cybersecurity requirements. New to that list are public administrations, postal and parcel services, and manufacturing…
Smaller companies feel these obligations less, in what area are they less protected?
Fons: An organization is only as strong as its IT department when it comes to security. Smaller companies employ fewer IT people who can specialize. If they don't pay enough attention to it, the rest of the organization won't bother either. In my opinion, ignorance is the biggest enemy of adequate security. Often awareness only comes once there has been a break-in and when sweat rolls down everyone's back because the place is down. You don't wish it on anyone, but every attack is a good promotion to do something about security.
In practice, I find that companies often think "it all works, so we'll not change anything." But just because it works doesn't mean it's done in a secure way. Are the latest patches installed? Is everything up to date?
Who is most affected by a cyber-attack? Large companies or small ones?
Fons: Large companies will be more resilient to an attack and its consequences. They can take a punch sooner than a smaller company. Imagine a startup seeing five years of development data erased. They will close their business, I'm afraid.
Remember, too, that small businesses are sometimes attacked to give a hacker access to a larger enterprise. That kind of ‘supply chain attack’ is becoming more common. Hence, companies are requiring their suppliers to perform a compliance check.
How does a company achieve the Olympic minimum in security?
Where to start with security?
Fons: Indeed, that is usually the first question I ask prospects: what exactly do you want to secure? Do you know what devices, data… you have in your company? We use tools that discover which endpoints are in use in a company. Cisco Identity Service Engine (ISE) or FortiNAC give you an overview of the connected devices on your network, and then you can run a vulnerability scan with the tools from Tenable, Rapd7, Outpost24, or others. We quickly notice which parts of the infrastructure are vulnerable, and which ones are the most critical and thus need to be addressed the fastest ... Then you can make big moves quickly.
What are the minimum steps an SME should take to still be somewhat protected?
Fons: I immediately think of three things that will benefit an SME. User awareness is a very important one. Companies really need to educate their employees and make them aware of the dangers. This can be done, for example, by regularly sending test phishing emails so that users notice how easy it is to fall into the trap. After a few warnings, they do start paying closer attention. Second, mail security is also a must. Even if everyone is on their guard, someone will still click on a wrong link. With good mail security, you can filter out a lot of malicious emails. And third is web security, so there is some form of web filtering and DNS security. This way 'malicious' sites can be blocked immediately. For many organizations, those are already three important steps that can prevent mischief.
Can small organizations do that themselves?
Fons: Again, that depends on the size and level of specialization of their IT department. Of course, a factor in this is that security specialists are rare and therefore expensive. Not everyone manages to attract these profiles. In that respect, it is definitely worth considering hiring an external specialist who provides managed security services. Simac offers many such services, performed by specialists who can fall back on their own knowledge, market best practices, and products from A-brands such as Cisco and Fortinet.
Do you want to secure yourself properly? Then contact Fons Quidousse.