Everyone Is at Risk, Why Small Businesses Deserve Big ProtectionBy Miriam Bello | Thu, 06/17/2021 - 14:14
It is wrong to think that small businesses are unattractive to cybercriminals and this misconception might the primary reason that makes them an ideal target, explained experts at Mexico Cybersecurity Summit 2021.
Small businesses should value their assets as much as large multinationals, and protect them accordingly. “Cybersecurity for businesses, small or large, is very simple,” mentioned Aimed Pimentel, Consulting Director at ON Strategy & President at WONSTRATEGY. “It has to be part of a company’s strategy to accomplish its goals and meet its targets.”
As the digital transformation accelerates, so do cyberattacks. “This has created open windows of opportunity in companies without them even realizing. For instance, with the shift on working modalities, companies’ risk surface expanded and leaves wider room for a cyberattack,” added Alfredo Sastré, President at Csoftmty.
Small companies are not just facing the same risks as larger ones. After an attack a small company is less likely to report the incident, which makes it further attractive to cybercriminal organizations, explained Jorge Ballesteros, Regional Sales Manager - North Latin America at WatchGuard Technologies Inc. “Every criminal organization will be directing their attacks to small businesses due to their lack of infrastructure to face cybercrimes. Countries like Mexico, Peru and Argentina are some of the largest targets of cyberattacks due to the large number of SMEs, unprotected businesses and the lack of protection culture.”
According to Ballesteros, companies do not need to pay for an in-house cybersecurity expert, “it is better to outsource these services to generate a strategy and thus be able to reduce costs and improve effectiveness.” No matter the approach, companies must make a priority of identifying and securing infrastructure gaps in order to protect their services. They could start simply by eradicating weak points, added Ballesteros.
Cybercriminals always have a motivation behind their attacks, explained Brenda Facundo, Manager at iDric. While motivations are often financial, there are other reasons behind their actions. “Small companies’ lack of protection makes them the ideal bridge to enter the larger companies they have as clients or suppliers. Thus, having a good strategy is important to everyone,” explained Sastré. Another attractive incentive are company’s assets. “While the incentive behind an attack to a fintechs would likely be financial, for a health company it could be new developments or tech solutions,” said Sastré.
An aspect commonly overlooked and underestimated is revenge, added Sastré. “In many cases, cyberattacks come from former, resentful workers who still have access to the digital platforms of the company.”
No matter the reason behind the attack, companies must be prepared at every level of the organization. “A strong organizational culture that involves every employee, from management to the security teams, is a must,” said Pimentel. Oftentimes, employees are the weakest link in the security chain, she added. For that reason, when a cybersecurity breach is generated, it is important to have an internal plan for them to avoid panic. Managers have to be part of this strategy and take a proactive approach by process generating of awareness of the risks involved in the transmission and transfer of data. Personnel training should include social engineering and the identification of phishing and faulty mail sources. Training is not enough, managers should also test employee’s understanding of these fraudulent practices, added Pimentel.
Companies should also protect their digital access, added Sastré, by adding different authentication methods, constant password updates and ensuring employees are not using corporate emails for personal matters. Companies should also back critical information more than once and “outsource basic security protection so the in-house IT team can focus on more relevant security concerns.” To find a trustworthy cybersecurity service provider, companies should reach out to Software Clusters or Local Cybersecurity centers, added Sastré. They should also due their due diligence and ask them for references, their success rates and stories. Regardless of how the information was leaked, a company puts its reputation at stake when it fails to protect it.
There are changes in way, however. The USMCA asks companies to implement a cybersecurity structure, highlighted Ballesteros. The practices taken at large companies will gradually permeate to their suppliers and then to other SMEs. Small businesses can see cybersecurity as much more than an investment, because by losing valuable information they might also lose current and future clients. Thankfully, there are numerous options that cater to the needs of every company. “There are already cybersecurity insurance policies, from very basic to more complex,” said Pimentel. While these policies might be increasing in price, they are a good option for companies that cannot afford to lose business opportunities.