While cyber-attacks on large well-known companies such as British Airways and Capital One make front-page news regularly, it’s rare to find stories about attacks on SMEs. It might be tempting to believe SMEs have little in the way of value for hackers in comparison to the Facebooks and Yahoos of the world, but in reality, SMEs are becoming primary targets.
According to the UK Government’s Cyber Security Breaches Survey 2019, in 2018, 31% of all SMEs in the UK suffered from an attack — this cost the UK economy more than £2bn. While Cisco’s 2018 SMB Cybersecurity Report found that 53% of SMEs in 26 countries experienced a breach. For these companies, the top security concerns are targeted phishing attacks against employees, advanced persistent threats, ransomware, denial-of-service attacks and the proliferation of employees allowed to use their own mobile devices.
Unfortunately, SMEs are not doing enough in response to this growing threat. Recently, a report by Business in the Community (BITC) found that a third of SMEs in the UK have no cyber security strategy in place, while just 35% have basic data protection policy and only 29% have a policy for controlling access to systems.
Why? SMEs are understandably focusing on being operational from day to day, so they can serve customers to keep the business going and pay the staff working. Furthermore, SMEs struggle to scale security solutions effectively. Often they don’t want to invest in something that might necessitate updating the whole infrastructure, updating storage or updating the operating system.
What this means for MSPs
The lousy security posture of SMEs is negatively impacting MSPs too. If their clients fall victim to an attack, it harms their reputation as well. The MSP involved in Hillary Clinton’s private email server controversy is a case in point.
Furthermore, according to Tim Moran, founder and CEO, LuJam Cyber, clients with bad security postures are making customer relationships difficult.
“Many MSPs find that they don’t get to spend as much time on certain clients because other clients with bad security practices need too much attention,” he said.
Tech Nation’s cyber security cohort: LuJam Cyber’s company profile
Traditionally, all MSPs had to do was meet uptime demands of service level agreements. If MSPs could keep their clients up and running, take care of their hardware issues, they were doing a good job. But things have changed.
Nowadays, SMEs are increasingly looking to MSPs for help with cyber security. Meaning to stay competitive, MSPs need to show that they can consistently deliver high-performance security solutions for their customers.
Continuous cyber monitoring
If MSPs genuinely want to help their clients avoid cyber attacks, they must stand out from the competition. While encouraging SMEs to undertake audits — such as Cyber Essentials, IASME Gold or even ISO27001 — are good places to start, according to Moran, they’re benefits are limited until the next audit is required a year later.
The problem, he argued, is that audits only cover a specific point in time. It can be hard to maintain the enthusiasm to make sure controls are kept in place once the certification buzz has passed. Pressing immediate needs of the moment often lead to people overriding or even removing controls altogether.
Cyber security scores: a new standard in mitigating risk?
Moran argued that for MSPs to meet expectations, real-time visibility of their clients’ networks is a must.
He added that in turn, these insights provide MSPs with the opportunity to upsell services, increase loyalty and trust, reduce churn and through a more pro-active approach to managing their customers, increase their profitability.