SME data security: the essentials

An alarming reality

SMEs are often reluctant to implement cybersecurity measures, believing that they are too small to be of interest to a hacker. They think they have nothing sensitive inside them, and underestimate the value of their data. But hackers invest according to the estimated gain: if they can make a small gain easily, they will attack small prey. We never talk about small-scale theft, even though it happens every day. The figures bear this out:

• A Swiss SME is the target of a cyber attack an average of 355 times a week
• 100% of SMEs are subject to phishing attempts
• ¼ of cyber attacks cost more than CHF 10,000.
• 60% of hacked SMEs go bankrupt within 6 months

The question is not "if" but "when" you will be attacked. Despite this, very few companies are taking steps to identify their cyber-risks and protect themselves accordingly. Only 15% of them train their staff in good cyber-security practices.

The pandemic has only aggravated the situation, with cyberattacks multiplying (up to three times higher than before the crisis, according to the National Center for Cyber Security - NCSC), putting many businesses at risk.

Faced with this alarming reality, alp ict,OPI, Innovaud, platinn and Alliance have joined forces to offer an intercantonal support program for companies on the theme of data security. The aim is twofold:

• provide a better understanding of data security and its long-term implications for companies
• develop concrete, pragmatic solutions tailored to business issues, guided by the know-how and skills of experts, with implementation devised and implemented through collective intelligence within companies

To meet the first objective, two "Industry Connect" events were organized by alp ict on September 9 at BrainServe and on October 29 at HPE Geneva. Sharing experience and expertise with a total of 15 speakers, they offered a 360° view of the different aspects of data security (industrial, technological, academic, governmental and legal) in order to find solutions adapted to the organizational, financial and human resources of SMEs.

Replay videos are available on our Vimeo channel.

We share with you the points that emerged below.

Protecting yourself is complex. Where do you start?

Most SMEs are concerned about cyber risks, but don't know where to start. What attitude should they adopt? What precautions should be taken? How can we ensure that the basic measures are already in place? The 1st Industry Connect identified the right questions to ask.

 

1) Analyze threats

First of all, what are the risks? We need to identify the dangers, find the vulnerabilities. They can be external (hacker, Internet failure) or internal (hardware failure, flood, fire, clumsy or careless employee). This risk assessment must be updated regularly.

 

2) Evaluate costs in the event of an attack

Secondly, what is the value of the assets and data at risk? To quantify the value of your data, Cyber-Safe recommends categorizing it according to 3 criteria called C.I.A.: Confidentiality, Integrity, Accessibility. Confidentiality: how much will you lose if this data is disclosed to the general public?Integrity: what would be the financial impact if this data were modified?Accessibility: what would be the cost if these data were no longer available, either temporarily or permanently?

Take advantage of this opportunity to sort out and get rid of unnecessary data. Limiting the amount of data is also part of your security strategy.

 

Once this work has been completed, the company can prioritize the data to be protected according to an impact matrix and set up a roadmap. This should include the following key elements:

 

3) Choose the right technological tools

The price range for data security is extremely varied. Choose your provider according to location, legislation and the services you require. The important thing is toadapt your protection to your risks, as explained above, to discourage hackers from attacking them. Make your environment as difficult as possible to penetrate.

Please note: even if your data is in the cloud, you're still responsible for its security.

Make sure you know your tools andactivate all security features. Ignoring them is a common mistake for companies, according to Kudelski.

Sometimes we wonder whether it's worth investing in all these tools, especially when the subject isn't an everyday one. But we forget about the X number of attempted attacks that have been unsuccessful precisely because of the security system. For security to be good, it has to be invisible.

 

4) Implement organizational measures

Tools are essential, but not sufficient. We need to organize their management. This means training employees,empowering them and structuring them (who should have access to what).

 

5) Understanding the legal context

The Swiss Data Protection Act (DPA ) was recently revised, and it is now mandatory to report any attack. According to Philipp Fischer, founding partner of the Oberson Abels law firm, "The main risk is not the penalty incurred, but we have a Federal Data Protection Commissioner who will be able to rate your company, and the reputational risk associated with this is undoubtedly much greater".

 

6) Take preventive measures

Test, check and update protection, verify backups, carry out crisis simulation exercises (emergency plan), keep abreast of best practices, adapt to changes in threats, continually train users and raise their awareness.

Read the article by Bilan, which attended Industry Connect and gives us its report: Cybersecurity, SMEs not immune.

People, the weak link in cybersecurity

So data security is not just a technical issue, it encompasses the entire organization: infrastructure, processes, data governance, understanding of security rules.

The 2nd Industry Connect confirmed the importance of the human factor at the heart of this subject. You can put in place the best tools and an impeccable protection system, but if your staff aren't properly trained, they'll be opening the door to numerous loopholes. The proof is in the pudding: 90% of cyber-attacks are due to the wrong click. Few people realize that cyber-attacks are a daily occurrence and don't feel concerned.

One of the first precautions you need to take is to be properly trained in the issues and best practices involved in protecting your company's data. Effective training drastically reduces the probability of a data leak: it prevents 95% of users from being phished.

Indeed, a data leak doesn't necessarily come from an attack, but from a process, misconfiguration or simple negligence. An interactive map listing the world's biggest data leaks and hacks over the years can be found here: https: //informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/. You can see the frightening quantities of data that have been stolen, sometimes involving very personal data, and the reasons for the incident, which are mostly human.

Jérôme Chanton, CEO of SME Kugler Bimetal, paid the price in 2018. Despite his culture of confidentiality with long banking experience, he was tricked by a fraudulent bank transfer site and lost 100,000 euros in 1h15. He trusted what he thought was the UBS Helpdesk because they knew all his information. He was then surprised to discover that the attack had come from the Israeli mafia. As he puts it, "This doesn't just happen to banks, but also to SMEs with 60 employees. Investing in IT security is not enough". Following this difficult experience, he stepped up cybersecurity training with regular reminders to his teams and examples of new attacks. He has noticed that repetition is crucial, so he favors short but frequent training sessions.

Teams need to be trained, not only to reduce risks, but also to know how to detect flaws when they occur. Yann Allandit, Senior Solution Architect at HPE, reminded us that the average length of time cyber criminals are present before detection is 78 days, which is a very long time. The hackers' strategy is to make themselves invisible, obtain maximum rights, and deploy themselves in several servers, deep inside systems by hiding in firmware, for example. Cyberattacks are becoming more sophisticated, and resolution times have increased 4-fold in 10 years. It is therefore essential to have a strategy for detecting and responding to attacks on IT systems.

 

Cybersecurity best practices in infographics

To help you raise awareness among your employees about securing your company's data, alp ict has created educational infographics illustrating best practices and cybersecurity fundamentals, developed with Swiss experts.

Click to download them:

• The 4 fundamentals of cyber-protection, in collaboration with ZENData: update your software, think about your passwords, choose your protection tools, stay vigilant.
• Evaluate the value of your data to better protect it, in collaboration with Cyber-Safe: identify the different types of data, estimate their value, quantify the risks, back up your data, train your staff, define a proactive strategy.
• Securing data in the cloud, in collaboration with Siodb: choosing your supplier, encrypting all your data, favoring technological simplicity.

Developing and implementing collective intelligence solutions

To meet the 2nd objective of our program, and help you implement concrete solutions tailored to your needs, we are offering a Collaborative Working Group for SMEs. Through workshops, companies will be supported in their collective intelligence by solution providers, industrial and academic experts.

The workshops will start in 2021. As the number of participants is limited, please register your interest now by writing to: delphine.seitiee@platinn.ch