Why good cyber hygiene is a strategic imperative for UK SMEs
No company is immune from a cyber-attack, with large and small being targeted. As technologies advance and cybercriminals hone their skills, evolve their tactics, and find new vulnerabilities to exploit, companies can no longer ask the question of if a cyber attack will occur but when and how it will happen.
While the number of data breaches is cause for concern, the cost associated with them is equally alarming. According to Cybersecurity Ventures, the global average cost of a cyberattack has ballooned to $4.45 million, increasing by 15 percent over the past three years. Even more sobering is that it shows no signs of easing, as global cybercrime costs are projected to reach $10.5 trillion annually by 2025.
Every business is a target
Although renowned companies or larger enterprises are often viewed as the more obvious targets for attacks, any company which is reliant on IT to do business is a target. The sheer inconvenience of having systems ransomed will prompt any small business to consider paying out. Cybercriminals are acutely aware of this. This means small to medium-sized enterprises (SMEs) are just as likely to face an attack as larger enterprises.
According to our recent SME IT Trends report, this message is certainly starting to resonate, with respondents in the UK, France and USA expressing growing concerns over their security posture. Indeed 47 percent of UK respondents stated they were more worried about their organization’s security posture now than compared to six months ago and more than half (56 percent) ranked security as their biggest IT challenge.
More concerning still is the fact that, owing to ongoing economic pressures, 34 percent of UK respondents expect cybersecurity spending to be cut in the next year. This is despite 72 percent of UK respondents predicting that security budget cuts will only increase organizational risk.
Good cyber hygiene is essential
One of the reasons why SMEs have become a target for attacks is because hackers assume they will have less robust and less well-defined security practices and processes in place. Often, due to budget and resource constraints, SME organizations lack comprehensive cyber hygiene and end-user security awareness training, which means they are more susceptible to phishing and social engineering attacks.
Systems aren’t as regularly updated; employees may also have weak passwords and devices that aren’t patched as frequently as they should be. In fact, one quarter (25 percent) of UK IT admins said the use of the same passwords across different applications is a top security concern.
However, even though a significant proportion of UK IT admins reported this as a top security concern, their use of password managers was slightly below the global average. 58 percent of UK respondents use a password manager in their organization, compared to 64 percent globally, with 13 percent reporting that they intend to implement one this year.
The growing sophistication of security threats continues to plague IT admins within SMEs, and external threats are causing the most alarm. When asked about their biggest security concerns, network attacks topped the list for UK IT admins (40 percent), followed by ransomware (35 percent), and software vulnerability exploits (28 percent), with 25 percent citing using the same password across different applications.
Part of the solution is an IT environment built around identity. Identity is now at the core of every IT access transaction; it’s the new security perimeter. The ideal environment for SMEs, as it is for larger organizations, is to securely connect the right users with the right resources at the right time in the right way, no matter where users are logging in.
The ongoing battle between security versus convenience
However, the challenge in managing modern workforces with identity at the core is that, when it comes to security, ensuring worker ease and productivity without introducing unnecessary friction is a key issue that continues to vex many IT admins. One popular approach IT admins are leveraging to reduce this friction, while increasing security, is single sign-on (SSO). Globally, nearly nine in 10 SMEs (88 percent) have deployed SSO for at least some apps in their IT stack, and 36 percent have deployed it across the entire organization.
The good news is that end users appear to be more security conscious, with 70 percent of UK IT admins either agreeing or strongly agreeing that remote workers are better at following security best practices this year than last. Additionally, UK IT admins are more likely to now consider employee experience in IT purchasing decisions, with 80 percent of UK respondents saying this is an important factor.
The evolution of multi-factor authentication
In recent years, multi-factor authentication (MFA) has become one way of confirming identity when users try to sign in. The three most common kinds of factors are: Something you know -- like a password, or a memorized PIN; Something you have -- like a smartphone, or a secure USB key; and something you are, including biometrics, fingerprints, or voice recognition.
In our research, biometrics were seen as one of the most secure steps for MFA, with 35 percent of respondents opting for this versus 25 percent who said one-time password texted to their mobile device, and 23 percent who said verification to a mobile device.
In fact, 80 percent of UK respondents say that they use biometrics to secure their personal devices. When asked what type of biometrics they use with personal devices, UK respondents advised that they primarily use fingerprint and face recognition. Voice recognition was less commonly used by respondents with only 25 percent naming this as a method of identification.
As the cyber threat landscape continues to evolve, learning how to mitigate sophisticated threats and keep organizations safe and operational will be of paramount importance. The past three years have not been easy for SMEs and have been especially complicated for IT admins who make work, work across office, hybrid, and remote working patterns.
IT professionals rose to this challenge and urgently overhauled the workplace model to meet these unforeseen needs. Now, these same teams face new uncertainty around external and internal shifts. They are resolute in their commitment to preparing their organizations for the next challenge as security continues to be a big concern and priority for SMEs in 2023 and beyond.
Denis Dorval is VP International (EMEA and APAC), JumpCloud.