Once a tale recounted in sci-fi novels and films, cyberattacks are now commonplace, exposed through splashy headlines circling the internet.
Naturally, cases that make the news typically involve large enterprises with household names, critical infrastructure, or government entities.
The sweeping, if not consequential, impact of such occurrences no doubt captures the attention of the wider public. In the meantime, attacks on smaller organisations slip under the radar, though by no means do they happen any less frequently.
In the UK SMEs account for 99.9 per cent of the business population, or 5.6 million businesses nationwide, and nearly two-thirds of SMEs have reported at least one cyberattack in the last year. Yet a 2020 study found 43 per cent of SMEs had no cybersecurity defense plan in place.
Whether as a result of innocent ignorance, intimidation at the perceived complexity of cybersecurity, or the misguided belief that they are simply “too small” to be a target, SMEs have long neglected to address the matter.
Fortunately, this mindset appears to be fading. Through a concerted effort by government and private companies to educate this market segment on cyber threats, many are increasingly stepping up and introducing protective measures.
In fact, a recently published whitepaper by N-able reveals that 7 in every 10 SMEs are planning to increase their security budget at an average of 7 per cent.
Now that we have established a need to tackle SME cyber threats, how can we, MSPs and vendors, collaborate to bring them the means?
Step 1: Identify common mistakes
In order to truly support SMEs, we need to first examine the most common mistakes made when investing in cybersecurity. It seems we can broadly separate SME approaches into two camps.
On one hand, there are those that seek expensive tools aiming to do it all. However, the cyber skills gap present within these organisations, and even MSPs, leaves the process of implementing the right measures to trial and error; which it should never be.
On the other hand, there are those who stick to what they know, be it an anti-virus or an anti-phishing solution while forgetting the rest. Principally, the area that the vast majority fall short on is in the protection of BYOD (Bring Your Own Device) devices.
Since the pandemic, the use of such devices has sky-rocketed; yet, little has been done to guarantee that the right policies and software are in place to safeguard them.
Step 2: Simplicity is sophistication
Choosing the right tools and approaches can be overwhelming, especially in a market as crowded as cybersecurity. From standard antivirus tools, to sophisticated mid-market or enterprise kits that generally provide more than what SMEs need, and cost more than they can afford, it can be difficult to choose the product(s) that best suits the business.
It’s easy to overcomplicate cybersecurity with the use of jargon or recommending complex solutions, but this doesn’t need to be the case. While there is a time and place for such solutions, there are few situations in which SMEs would benefit.
We need to remember that the lion’s share of cybersecurity incidents can be attributed to the oversight of basic cyber hygiene. As such, MSPs and vendors need to collaborate to ensure that this is covered first; that solutions adopted start with the basics, and allow for scalability and layering complexity.
Equally, by focusing on providing technologies, we often fail to address the two remaining pillars of cybersecurity’s holy trinity: people and processes. Bringing in a set of sophisticated tools but failing to educate employees or implement best practices in the day-to-day leaves large chasms in an organisation’s security posture.
It is crucial then that we help these businesses develop all three facets of cybersecurity.
Step 3: SME Outreach
It is all well and good, recognising what SMEs need, but this is not useful if we are unable to impart this information to them.
A different approach is required when communicating with SMEs as their purchasing behaviours are distinct from that of mid-market and large enterprises. When conducting outreach with SMEs, we must employ a B2C strategy, leveraging digital marketing in particular.
In these campaigns, focus should be on education to ultimately drive the purchase. We need to paint a picture of existing threats, explain the lingo and be simple as well as succinct.
With these businesses, there are usually only one or two decision-makers. They need to grasp the messaging quickly and easily to make informed decisions.
Sustainable cybersecurity
SMEs are a largely untapped market and are among the most in need of assistance on the cybersecurity front. Vendors and MSPs together are in a position to provide SMEs with the best protection they can get, whilst reaping the reward of additional business.
It’s a win-win scenario worth pursuing. However, it is critical that MSPs assess the common pitfalls made by SMEs and tailor their offerings accordingly.
These considerations can be summarised in three questions: Is the solution overkill for the SME’s business needs? Is there enough expertise internally, and with the MSP, to fully manage the solution? Does it complement the other solutions in use?
Only by keeping these questions in mind, can we cultivate the sustainable adoption and culture of cybersecurity amongst SMEs.