EDR

Cybersecurity for SMBs: How to protect yourself effectively?

Cybersecurity concerns both large structures and SMEs. Small companies sometimes make the mistake of underestimating the risk, yet the effects of a cyber attack can seriously impact these sometimes fragile structures, as seen in our previous article.

When we know that an employee of a small business is 350% more likely to suffer from social engineering attacks than an employee of a large company, it is time to protect yourself.

Let’s see what is at stake, and how to set up safeguards to protect against these “cyber” risks.

In a VSE/SME, an employee is 3.5x more likely to suffer a cyber attack

SMBs: prime targets for cyber attackers

Cybercriminals are well aware that SMEs are a prime target. When you see the numbers that these companies represent, you can understand that attackers are interested in them.

Some figures on VSEs/SMEs in Europe

Remember that these companies are both subcontractors and suppliers of large groups and can be even more targeted by attackers in the context of supply chain attacks.

According to a Symantec study dating from 2021, “71% of VSEs and SMEs that are subject to a cyber attack do not recover. “

Among our European neighbors:

  1. 75% of German companies were victims of data theft, industrial espionage or sabotage in 2019. (Source: German Association of Information Economy, Telecommunications and New Media)
  2. Spain is a country of SMEs and this is where a cyber attack can be devastating and even drive them out of business. In June 2021, the country suffered 40,000 cyberattacks per day: administrations and SMEs are among the most vulnerable targets. The most affected sectors being insurance, TMT (telecommunications, media and technology), manufacturing, banking and public administration.

Competitveness Lever

A large group can survive an attack, what about a smaller structure?

Proportionally, a cyber attack will be more expensive for an SME than for a large group, which is more likely to have a security team to quickly remedy the malfunction. SMEs, on the other hand, will suffer the full force of a productivity halt resulting in a net loss of turnover.

According to a survey conducted by the MEDEF (The Mouvement des Entreprises de France is an organization representing French companies). in 2020, “20% of VSEs affected by an attack have suffered damage more than 50,000 euros, with 13% of them suffering damage in excess of 100,000 euros.

Prioritizing IT security is a lever for competitiveness, guaranteeing performance by anticipating/avoiding a loss of income.

Implementing a security policy also means protecting the reputation of your organization. We know that an attacked company can potentially lose customers, see its orders cancelled, have its image degraded, see its confidence altered, thus favoring the competition.

A cyber attack has a direct impact on the turnover, the jobs, the life of the company.

Boomerang effect

The SME may be both a subcontractor and a supplier. They are particularly exposed to attacks. Cybercriminals can try to reach their partners’ computer network.

Beyond their own security, these small structures must be secure for their customers. Every company is legally responsible. Moreover, large groups are increasingly demanding to know the defenses of their partners at the risk of not being able to work with them.

The 2021 Acronis report, reveals that “4 out of 5 companies have experienced a cybersecurity compromise due to a vulnerability affecting their third-party vendor ecosystem. “

They can also be attacked because their customer itself is attacked. A successful attack can compromise hundreds or thousands of SMBs, as was the case in the Solarwinds and Kaseya attack.

Securing the cloud

Some VSE-SME managers believe that their level of cyber protection is sufficient to the point of not having to take out cyber insurance. And when they do consider it, they do not fully understand the requirements of the firms: BCP (business continuity plan), backup, staff awareness, required patches, … Some do not understand all these requirements, others do not have the capacity to meet them. These gaps in terms of understanding the contract have an impact on SMEs’ adherence to these contracts.

The question of the budget inevitably comes back to weigh in the balance; indeed, the price increase does not help in the decision-making process.

However, for each company, having this coverage is a real security issue. Cyber insurers will have to adapt to this new market, propose specific offers to SMEs, and help and accompany them in this choice, this is what our partner Stoik does. Stoik, offers a complete insurance dedicated to SMEs, with extended eligibility conditions, at a price adapted to these structures. They provide advice, audit and awareness.

Cyberinssurance

Some VSE-SME managers believe that their level of cyber protection is sufficient to the point of not having to take out cyber insurance. And when they do consider it, they do not fully understand the requirements of the firms: BCP (business continuity plan), backup, staff awareness, required patches, … Some do not understand all these requirements, others do not have the capacity to meet them. These gaps in terms of understanding the contract have an impact on SMEs’ adherence to these contracts.

The question of the budget inevitably comes back to weigh in the balance; indeed, the price increase does not help in the decision-making process.

However, for each company, having this coverage is a real security issue. Cyber insurers will have to adapt to this new market, propose specific offers to SMEs, and help and accompany them in this choice, this is what our partner Stoik does. Stoik, offers a complete insurance dedicated to SMEs, with extended eligibility conditions, at a price adapted to these structures. They provide advice, audit and awareness.

Which protection solutions

TEHTRIS: The solution for small business

The cost of a cyber attack is high, but the cost of inaction is just as high or even higher. However, companies tend to think in terms of profit, investment or ROSI (Return on Security Investment). This opposition between “risk culture” and “productivity culture” is not helpful. We need to change the paradigm and think that security is one of the conditions for productivity.

A good computer security requires anticipation, that’s why TEHTRIS accompanies SMEs in the choice of their technical solutions adapted to the structure. There are tools to put in place upstream to prevent and remedy risks.

The TEHTRIS OPTIMUS solution combines the power of EDR (Endpoint Detection & Response) and the efficiency of Next Gen antivirus in a single agent to detect and neutralize known and unknown threats in real time, without human action.

By combining the best of both technologies, OPTIMUS leverages all of the great features deployed by TEHTRIS since 2012, including CTI, sandboxes, an antivirus database or Cyberia artificial intelligence.

 TEHTRIS OPTIMUS is the simplicity of a turnkey solution, adapted to SMBs.

 The TEHTRIS XDR Platform is also a solution adapted to SMBs, because it allows:

  1. Adaptation of detection rules thanks to information on cyber threats
  2. Operational efficiency through hyper-automated neutralization
  3. Easy integration

Finally, the TEHTRIS solutions meet the expectations of SMEs; namely to have a team in proximity to accompany them while offering a flexible solution.

Good cyber hygiene

In addition to the TEHTRIS solutions and the usual concerns such as making sure you have a password manager, two-factor authentication (A2F), limiting access rights, … we recommend to:

  1. back up data
  2. set up a business continuity plan
  3. raise employee awareness

In parallel to all these actions, the French government has also taken charge of the subject.

  1. In July 2021, it presented an alert system in case of cyberattack. The ANSSI and cyber maliciousness.gouv propose a note for managers, in order to react as soon as possible.
    We recommend you read the note of the ANSSI: https://www.ssi.gouv.fr/guide/la-cybersecurite-pour-les-tpepme-en-douze-questions/
  2. The State recommends developing the “security by design” of software sold to SMBs; this would be a package of simple solutions adapted to SMEs.
  3. It recommends the grouping of employers
  4. It proposes short training courses in cybersecurity
  5. And finally, it proposes a tax credit to encourage training and or assistance for participation in the purchase of equipment.

Other structures have favored the coalition, this is the case of Airbus, Thales, Dassault and Safran who launched AirCyber in January 2019 via BoostAerospace, in 2011, to help VSE-SMEs in the aerospace field in the adoption of cybersecurity solutions subscribed by large accounts. It is “a Mutual Support and Maturity Assessment Program initiated by the industry’s OEMs.”

Here is the link: https://boostaerospace.com/aircyber/

In Spain, the plan provides for a culture of cybercrime prevention among citizens and companies. as well as the promotion of training and specialization of members of the armed forces in cyber security and cybercrime.

The maturity of small and medium-sized companies is evolving but they still need to be supported so that the culture of security becomes automatic and obvious. TEHTRIS works every day to adapt its products and solutions to all structures, small or large.

[1] Barracuda Networks, 2022

[2] Acronis Cyberthreats Report Mid-year 2021

[3] Usine Digitale, [Study] Losses due to cybercrime amount to more than 1% of global GDP

[4] According to a Gartner study published on 18/11/2020