teissTalk: Next level cyber hygiene for SMEs

teissTalk host Geoff White was joined by  Lessie Longstreet, Global Director of Outreach and Partner Engagement for the Cyber Readiness Institute as lead guest; Kevin Curran, Professor of Cyber Security, University of Ulster; Steven Furnell, Professor of Cyber Security, University of Nottingham; Vladimir Jirasek

Founder & CEO, Foresight Cyber

What should SMEs do to be able to join supply chains on a more equal footing?

Large companies have obvious advantage over SMEs when trying to become part of a supply chain, or as Vladimir put it, “the bigger always wins”, unless a small business has a specialty that can’t be supplied by others. However, while you need about 50 small contracts to generate the value of a large one, signing up SMEs takes much less time thanks to a more straightforward decision-making process. SMEs’ mindset, capabilities and skills base are unique to them. There are also huge differences between micro and medium sized businesses within the SME group.  From a security provider’s point of view, it`s easier to deal with micro and small businesses’ CEOs and founders, as once you manage to bring about a lightbulb moment with them, they are ready to implement measures. In the case of medium-sized businesses, after negotiating with COOs or CIOS, they will still need to get their CEO’s buy-in. On the other hand, B2Bs need to meet higher security standards to trade, while in a B2C context, clients are more forgiving. The difference between companies of different sizes is further demonstrated by DCMC’s Cybersecurity Breaches Survey, where a quarter of larger companies have reported meeting all the 10 steps to cyber security (or the Cyber Essentials Scheme), while it’s only 8% for small businesses.

Another survey by the University of Nottingham has been seeking to find out whether SMEs have the capability and time to reflect on their cybersecurity posture with regards to how they detect and recover from cyber incidents. Its findings suggest that SMEs capacity is taken up by managing cyber security and keeping the business going which leaves no time or other resources for gathering metrics that they could tap into to improve their cyber defences.

Homomorphic encryption can be a long-term solution to protecting data when looking at the higher picture, which enables computation of data without 3^rd parties having any insight into the data itself or any access to the secret key. There is general consensus that standardisation is key to making real progress in this area. Ideally, the whole industry should adopt a single standard or at least security providers and standard bodies should come up with a coherent set of about 50 questions that map into various existing standards

Views on news

New telemetry from Microsoft’s Azure Active Directory shows that more than 78% of organisations in the Directory don’t employ MFA. Shockingly, the Directory detected and blocked over 25.6 billion attempts to brute-force user accounts in 2021 – which means 580-600 attempted password attacks per second. Meanwhile, Microsoft CISO Bret Arsenault claims that "99.9% of breaches would be prevented if you just implemented MFA." The conclusion of the survey has been that attackers are predominantly targeting Office 365 via legacy protocols. The experience of the Cyber Readiness institute seems to bear this out. A high percentage of SMEs don’t know how to switch on MFA or have no idea what it is.