Cyber criminals consider SMEs a ‘sweet spot’ due to their lack of security controls and poor cyber hygiene

Accenture & Ponemon’s 2019 Cost of Cybercrime Study indicates that the right approach to cyber threats might save companies up to $5.2 trillion of future revenues in the next few years. Small and medium enterprises (SMEs) are among the most vulnerable. 

SMEs are especially susceptible as the majority of them lack cyber security specialists and are reluctant to invest in reliable digital protection. 

Many cyber criminals thus consider these companies a ‘sweet spot’. A study by Cyber Readiness Institute shows that only 40% of  small and medium companies have implemented a cyber security policy.

Almost half of the survey participants mentioned economic instability as the main constraint in making security investments. This not only raises privacy concerns as employees work remotely, but also allows for network breach and social engineering practices. 

Establish secure connection

Cyber criminals usually aim for the underprotected networks, be it public Wi-Fi hotspots, home routers with default passwords, or defenceless Bluetooth devices. Security is not limited to remote access and employers and employees alike should do their background reading on the potential threats.

Even if the employees have taken precautions securing their home networks, both they and their employers should maintain the safe connection between everyone’s home and the office. “Managers and business owners should thus consider keeping shared files in a cloud drive, establishing a virtual private network and encouraging staff to use trusted online co-working platforms”, suggests Juta Gurinaviciute, chief technology officer, NordVPN Teams. 

Raise awareness about social engineering

Since the beginning of the COVID-19 pandemic, human error has increased as more people are working from home. Hackers are leveraging the situation and using the crisis to steal data. As many as 90% of corporate data breaches happen due to social engineering attacks, such as phishing emails or impersonation. 

“To avoid phishing and scam attempts, companies need to develop their security policy and instruct every employee to neglect suspicious emails and ignore links or attachments within them”, says Gurinaviciute.

She highlights that phishing emails are usually sent from similar but somewhat different addresses, and may include punctuation or spelling mistakes. The urge to take action can also be considered as a warning sign. 

Ensure privacy and confidentiality

Some employees are using their own devices for remote work as they are more familiar with them, whilst companies also save on providing work devices. However, employers cannot control the preservation of documents on personal hardware and the latter can be infected via external devices – for example, USB drives or IoT appliances.

“Remind your staff that confidential still means confidential. They should not use their personal email for work, their family members should be kept away from sensitive information and printed documents should be disposed of in a shredder as soon as the work with them is done”, suggests Gurinaviciute.

To ensure privacy, companies should implement a two-factor authentication process with an additional protection layer, such as sign in via external devices. Even if hackers get their hands on one password, they will be unable to finish their job.