As the UN’s Micro-, Small and Medium-sized Enterprises (MSMEs) Day rolls around again, some of the smallest businesses in the world face a series of challenges, from a cost-of-living crisis to difficulty accessing investment.
Micro and small enterprises are engines for growth. MSMEs create seven out of 10 jobs in emerging markets, according to the World Bank. As of 2022, 48% of the workforce in the EU earned their daily bread from a company with fewer than 49 staff, yet were also responsible for almost a third of the EU’s turnover. Midsized enterprise stats are just as impressive.
There’s one other challenge: ensuring cybersecurity in an environment where old tools are no longer enough and where the very ubiquity and small size of these organizations makes them attractive targets.
Yet there are plenty of reasons to be positive: More and more resources for small businesses looking to improve their cybersecurity are arriving each year, and they range from paid services to free-as-in-beer guidance, frameworks and best practice.
A perfect entry point for a supply chain attack
MSMEs definitely punch above their weight. But their size and agility also make them vulnerable. Often, they don’t have anywhere near the resources of a large organization when it comes to cybersecurity. One of the highest-profile cyber risks MSMEs face is supply chain attacks, in which they can be the unwitting conduit for an attack on the attacker’s ultimate prize – that big, juicy, well-resourced enterprise.
Supply chain cyberattacks are not new. But they are increasingly effective, and so they’re increasingly popular for attackers and an increasing point of focus for defenders.
Stuck in the middle are the small businesses that often make up part of complex supply chains – and are often the targets. Let’s run through why they’re targets, and why it’s a little more complicated than it might first seem; small companies can be a vector for a supply chain attack as well as the end target themselves.
How it started
While many large organizations have the resources to buy or build their own cybersecurity capabilities, it’s a costly job that smaller organizations struggle to afford. Often, this means that attackers will look to breach a small organization that is part of a target organization’s trusted supply chain and has elevated access as a result. If that small supplier has access to their customer’s network or systems, attackers can use that to achieve access, or to steal data as it flows between the two organizations.
Defending against these sorts of attacks goes beyond the basic antivirus and server security tools most small companies buy and run: They no longer make the grade when attackers can target multiple endpoints as doorways into an organization.
…how it’s going backward
In the last four or five years, a different approach has started to emerge alongside more traditional tactics: software supply chain attacks. In these attacks, the malicious actor will look to compromise a supplier of software to multiple organizations in order to gain access to many user organizations: security through obscurity fails yet again. This approach can be popular with a type of attacker called an Initial Access Broker (IAB), which will sell the details of compromised organizations to other criminal or nation state-backed groups.
What it’s turning into
Recent, high-profile attacks on retailers in the UK are highlighting the first supply chain attack vector we described, this time focusing on managed service providers (MSPs). It is understood that a massive breach affecting UK retailer Marks and Spencer was the result of a social engineering attack against a third-party contractor, Tata Consultancy Services. Tata Consultancy Services, a multinational IT service provider with over 600,000 employees, is currently running an internal investigation. Both companies are most definitely enterprises in their own right, but what is a suitable tactic against a large, well-defended business or two one day is often a sign of things to come for smaller businesses the next.
What are the impacts?
There are plenty of blood-curdling statistics on the cost of a successful cyberattack, which we won’t get into here. In terms of raw cost, the number varies from relatively low (the UK’s National Cyber Security Centre has a number of interesting costings based on its annual breaches survey of small businesses) to the ever-spiraling IBM Cost of a Breach report, which placed the average cost of a data breach at US $4.9 million.
That said, becoming the attack vector used against some of your most valued customers is not an outcome many businesses will actively chase: It’s damaging to your reputation, to say the least.
Numbers aside, the most pressing issues are likely to be related to regulatory compliance, customer and supplier goodwill, and staff disruption – all of which tend to have long-term impact.
What SMEs can and should do
Ask large enterprise customers for help or guidance – and work with them for mutual benefit.
Often suppliers are asked to complete security questionnaires and demonstrate compliance with cybersecurity standards. This is entirely to be expected; organizations look to understand the cyber risk associated with their supply chains and translate it into business risk assessments. Proactively asking for guidance or even assistance in maintaining or exceeding those standards should be a matter of course, especially if your organization is in a position to share knowledge, insight or tools.
Understand the liability issues around using outsourced managed services
If you outsource your help desk or cybersecurity, what assurances do you have if they muck something up? Building an understanding of where your responsibilities and liabilities end and where theirs begin is critical – and worth hammering out now, rather than during a security incident. While plain old MSPs work with customers on the basis of mutual liability when it comes to cyber incidents, if your organization relies on a managed security services provider (MSSP), the focus shifts; after all, their job is to protect your business from cyberattack.
Check your cyber and business insurance
If you are breached and it causes problems for those up- or downstream from you, what is the impact? Does your existing insurance cover you? Your insurer or broker can help here.
Lean into regulatory compliance guidance and requirements
The old adage of regulation being written in blood is true: Recent laws and regulations such as the EU’s NIS2 Directive, DORA and GDPR, as well as voluntary frameworks such as ISO 27001 and NIST CSF2, are intended to guide organizations large and small toward making sensible choices and taking early measures to counter common cyberattacks. Note also that a lot of the requirements or recommendations in these directives and frameworks are generally aiming in the same direction and making similar recommendations. In part, this is because they’re following generally accepted best practice or doctrine, but harmonizing requirements also makes it easier for businesses to work across borders, sectors and jurisdictions.
Look for (and adopt) guidance from national cybersecurity centers
National cybersecurity organizations such as the UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) publish guidance and advice on best practice from the quick and practical to the more detailed and focused. Ensuring you’re covering (at least) the cybersecurity basics is a start. It’s also increasingly the case around Europe and the US that regulations are coming through to nudge organizations into following good cybersecurity practices. While these can be onerous, they are also often done to ensure a baseline of good working habits for organizations.
Note that many national organizations promote what could be considered a bare minimum approach to cybersecurity for MSMEs in the expectation that it will help lift the most vulnerable organizations up. Of course, the problem is that organizations can always do more – which brings us to our next point.
Map and understand your cyber risk in terms of business risk – work out your comfort level
Larger corporate customers of yours may have already asked you to help with cyber risk assessments as a supplier, but even a 30-minute session with your team over a cup of coffee to fill out a probability impact graph (PIG) can help build a clearer picture of both the risks your organization faces and your attitude toward that risk. There are great (free) tools out there that add to the basic insights and equip you with useful and concrete steps you can take to reduce your risk. As we’ve said, it’s always possible to do more, but when doing more doesn’t really change the amount of risk you face, costs a prohibitive amount, or ties up too many people – it’s not a positive action. Figure out what your organization is comfortable with risking, then plan accordingly.
Partner with a trusted provider of a similar scale to yours.
Vast MSPs may not have your best interests at heart – but smaller MSSP organizations will often be able to bring helpful insight, hands-on experience and strong vendor relationships to bear on your challenges. Look for personal recommendations from peers and competitors in the same sector as yours.
Conclusion
For most MSMEs, cybersecurity is yet another area outside their core expertise to worry about – alongside a million other things on the to-do list, big and small. Cybersecurity shouldn’t be discounted as another chore – it should be treated as valuable work that will help build the business in the long term.
