The Pareto principle in cybersecurity for SMEs revolves around patching
SMALL- and mid-sized enterprises (SMEs) are just as likely to suffer from cyberattacks as large organizations — but each group requires a different approach to defending against cyber threats.
In the case of SMEs, the biggest risk comes from software not being patched or upgraded in time despite being discovered by the vendor or others in the developer community.
According to experts, every 1,000 lines of code contain anywhere between 15 and 50 errors. If the average mobile app has more than 20,000 lines of code, there’s a chance that there will be up to 1,000 errors or bugs in that app which can be exploited by hackers if not patched in time.
For enterprise-grade software, especially those used by small businesses, bugs are constantly and actively being discovered and patches are constantly being produced and provided to customers.
However, applying a patch usually means shutting down the company’s network, restarting machines, and results in overall downtime for those dependent on the organizations’ computers.
As a result, IT teams are often forced to delay applying patches and upgrading software in a timely manner. However, it’s the one thing that can help SMEs better defend themselves and make themselves less attractive targets instantly.
The Pareto principle, also known as the 80/20 rule or the law of the vital few, when applied to the world of cybersecurity in SME landscape, indicates that developing a strong patching strategy could significantly boost the organization’s cyber resilience.
In an ideal world, patching should not be delayed and must be applied to systems instantaneously.
However, IT professionals need to understand the limitations of the business as well — and hence, develop a patching strategy that is somewhat considerate and balances the needs of operations teams with the risks.
Given the importance of patching, the ideal patching strategy could take one of two routes in the case of SMEs.
The first could force breaks during the day, say at lunchtime or tea-time, and offer those time slots as opportunities for the IT professionals looking after the software to apply the patches.
For industries such as e-commerce or retail where such a forced break could be disruptive, IT teams need to identify and create a strategy for scheduled maintenance — ideally at short notice — and upgrade and patch systems periodically during those times.
When the second strategy is used, uptime for systems is greater but IT professionals need to examine each patch on a case to case basis and ensure anything that is serious is implemented immediately instead of waiting for a suitable scheduled slot.
At the end of the day, if systems are patched appropriately, SMEs can definitely protect themselves against cyberattacks much more effectively.