SMEs don’t have the know-how for cybersecurity. Source: Shutterstock

Cybersecurity is an information problem and SMEs are at risk

VICTIMS of a cyberattack don’t generally act in a way that puts them at risk. Instead, they tend to lack the information necessary to protect themselves.

According to Hal Lonas, Chief Technology Officer, Webroot, cybersecurity is really an information problem. At a recent RSA conference, he argued that people wouldn’t click on websites that they knew were bad for them; if their firewall knew that the IP was bad, they wouldn’t accept the incoming connection; if their mobile devices knew that an app was bad, it wouldn’t download and install it.

However, he believes that traditional cyberthreat reports and analysis only confuses the average consumer.

This is especially true of small and medium-sized enterprises (SMEs) who read about the indicators of compromise and the tactics, techniques, and procedures employed by hackers but don’t have a way to distill that information into actionable insights.

SMEs also have less time and fewer resources. They also don’t have any threat researchers or spare personnel to help secure their business network. This puts SMEs at greater risk for hacking, ransomware, and other cyberattacks.

Last year, the Ponemon Institute issued the 2017 State of Cybersecurity in Small & Medium-Sized Businesses which explained that smaller businesses were especially susceptible to phishing and social engineering, web-based attacks, general malware, compromised/stolen devices, and denial of services among other cyberattacks.

Unfortunately, Lonas points out that there are few (if any) products out there that cater to the cybersecurity needs of SMEs. It’s hard to make money selling to SMEs, which is why reputed cybersecurity firms tend to focus on developing solutions for enterprise users.

GDPR could destroy SMEs without cybersecurity

Given that the scope of the EU’s General Data Protection Regulation (GDPR) is quite wide and impacts businesses across the world, even in Asia, the value at risk due to a cyberattack has increased exponentially.

Failure to protect customer data, whether as a result of a cyberattack, a leak by an employee, or anything else, will warrant a fine that’s equal to EUR 20 million (US$24.55 million) or 4 percent of annual turnover, whichever is greater.

However, it’s not just the EU. Data protection and privacy laws across the world are set to get more challenging, and SMEs need to find a way to secure their data and protect themselves against cyberattacks.