Security for all sizes – Proactive protection from SME to enterprise!

#KingstonCognate introduces Prof. Sally Eaves

Prof. Sally Eaves is Chair of Cyber Trust and Senior Policy Advisor for the Global Foundation of Cyber Studies and Research. Described as the “torchbearer for ethical tech” she is the inaugural recipient of the Frontier Technology and Social Impact Award, presented at the United Nations. A Chief Technology Officer by background, and now Professor in Advanced Technologies and a Global Strategic Advisor across Emergent Technologies, Sally is an award-winning International Author, MC, Keynote Speaker, and Thought Leader on Digital Transformation (AI, 5G, Cloud, Blockchain, Cybersecurity, Governance, IoT, Data Science) alongside Culture, Skills, DEI, Sustainability and Social Impact.

Sally educates and mentors actively to support the next generation of tech talent and has founded Aspirational Futures to enhance inclusion, diversity and equality in education and technology, with her latest book on “Tech For Good” set to be released soon. Sally is consistently recognised for global influence in the technology space by leading bodies such as Onalytica, appearing in the top 10 worldwide across multiple disciplines from AI to 5G to Sustainability and beyond.

Cybersecurity pillars of risk

1. The growth of the cybersecurity economy and services especially related to ransomware and phishing
2. Rise in nation states threats with actors increasing the volume and scale of attacks to help negate detection
3. IoT and OT convergence and innovation expanding security threat surface areas
4. Rapid advance of distributed and hybrid workforce models evolving the nature of risk, from the tools we use to how we do our work
5. Increase in disinformation, misinformation and mal information affecting the persuasion and psychological impact of cybersecurity attack campaigns and their effectiveness.

SME’s have been especially impacted by the growth in cybersecurity attacks, notably ransomware and phishing, with new research showing that some 43% of cyber-attacks{{Footnote.N68026}} target small businesses (Verizon 2022). Taking the UK as a broadly representative example, the 2021 NCSC Annual Review{{Footnote.N68027}} recently declared ransomware to be the most significant cyber threat facing the UK today. With this sector representing over 99% of businesses{{Footnote.N68028}} in the UK and the USA (SBA 2021) the collective contribution to global economic growth moves centre stage, alongside the risk posed to supply chains with SME’s providing an increasingly attractive entry point to wider enterprise ecosystems.

Drilling into the risk in more detail, research by Datto{{Footnote.N68029}}found that 85% of MSPs report ransomware as the biggest malware threat to small businesses. With Remote Desktop Protocol (RDP) the single most common vector for this type of attack, the increased distribution of SME employees with remote-to-hybrid working models alongside the rise of “Bring Your Own Device” when physically in the office has created new challenges. These range from the expanded threat area to the risk of complacency and breaking of habits around security practices, with the continual change in working logistics. This is coupled with the baseline that SME’s typically have misconceptions around the levels of support “in range” to them, alongside greater budget constraints, fewer resources, and a lack of in-house specialist technical skills – all raising their desirability as a focus of attack for bad actors. And given the impact of the sector already outlined to both local and global economies, this makes their disproportionate operational, financial, and reputational effect one of significant concern.

But it is not all negative news! Firstly, SME’s can be more agile to change and the introduction of new approaches by their very nature and infrastructure, typically less likely to be carrying the weight of legacy technologies or process-heavy long decision-making cycles. Additionally, there is much that SME’s can do today to improve their cybersecurity posture for tomorrow. The time is now to move beyond common perceptions that effective security is simply too difficult, too time consuming or too expensive to embed, or conversely that you can buy something like “Zero Trust” straight off the shelf and you are once and done – it simply does not work that way, it is an ongoing journey, not a destination.

So, what can SME’s do to both change the narrative around security and improve their posture around the risks? Firstly, considering some of the education and awareness opportunities available, the National Cybersecurity Centre{{Footnote.N68030}} provides an excellent starting point for free up to date resources. This is key given research{{Footnote.N68031}} that finds that smaller businesses are not consulting authoritative sources, and instead when using a general search, they are frequently overwhelmed by the volume of advice information online, with no way to judge or prioritise it. So, education around your employees and availability of supporting documentation is an absolute must. The power of partnership is also key, even large enterprises typically utilise third party providers that specialise in cybersecurity tools, trainings and best practices and there is a lot of support available here that can be tailored to organisations of any size. And what better way to negate the rise in bad actor collaboration, than for organisations to come together for good and openly share best practices!

Security threat actors are continually evolving their attack approaches to make them more impactful, including the coming together of cyber-criminal gangs with increasingly complex and professional tactics. We must respond in kind as a sector and as organisations and individuals - this requires a focus on Technology, Culture, Processes and Skills.

Getting it right: Technology and processes

As I previously discussed in the Kingston Cognate Twitter Chat (@kingstontechbiz), around 98% of cyber-attacks can actually be negated through good cyber hygiene. Here are some suggestions on getting this foundation right from a technology and process perspective:

1. Always backup your data regularly – and test it!
2. Consider hybrid cloud solutions from both a technology and partnership approach
3. Keep your patching up to date across your hardware, mobile devices, applications, and operating system – this was frequently reduced in frequency during the pandemic
4. Use passwords properly and apply Two Factor Authentication (2FA) wherever possible
5. Avoid public Wi Fi wherever you can
6. Leverage VPNs (Virtual Private Networks) and data loss prevention software solutions, including endpoint detection, firewall and antivirus solutions
7. Embrace agile Change Management approaches such as Continuous Integration, Continuous Deployment (CI/CD) to make frequent smaller changes, reducing risk
8. Use hardware encrypted storage such as external SSDs and USBs
9. Track, lock, or wipe devices that get stolen or lost

In particular, hardware encrypted devices such as USBs and external SSDs afford a highly cost-effective solution to move forward with data loss protection expediently – and relevant for multi sector application and for organisations of any size. Rob Allen, Director of Marketing & Technical Services, Kingston Technology Europe, explains:

We offer encrypted USB solutions for Government, Defence, and Intelligence Agencies right through to FinTech and Health Care, and to your Small Medium Businesses and SOHO (Small Office Home Office) users… The one I'm really impressed with and excited about is an external SSD with touchscreen pin and password, an exciting addition to what we usually do.

Additionally, Kingston Technology’s excellent Ask an Expert team can provide personalised advice on the potential benefits tailored to your organisations specific storage environment and needs - with contact requests going straight to the technical resource group - alongside providing multiple, freely accessible resource guides, applicable to data centre customers, corporate end users and SMEs alike. And there is more support available for you in their Data Security Blog, where you can find top 12 tips for SMEs to enhance cybersecurity.