Incident response for SMEs: Assume cyber security breach

SMEs need to assume they will be breached and prepare accordingly

Add bookmark

Nick Benson
12/20/2023

Cyber security is a critical and growing concern for organizations of all shapes and sizes worldwide. Some 43 percent of data breaches happen to small and medium-sized enterprises (SMEs), according to Accenture’s annual Cost of Cybercrime Study. SMEs are also less likely to report or find beaches, so this figure may well be understated.

An update from the National Crime Agency to the UK Parliamentary commission on ransomware in June 2023 reported that some ransomware groups “have moved away from CNI and looked to…small and medium-sized enterprises on the basis that they are less likely to have the weight of law enforcement and the intelligence community descend on them.” This issue has been compounded by the evolution of ‘ransomware-as a-service’ which is making it much easier for less technical operators to start carrying out attacks.

SMEs face stark cyber security risks

Losing money, damaging their reputation, exposing themselves to legal action and losing the trust of their customers are just a few of the impacts that an SME may suffer. Additionally, an SME has a much higher likelihood of going out of business as a result, for example if it leads to a cashflow issue. Some estimates attribute over 80 percent of small business failures to unexpected or unmanaged cash shortages.

In a UK government study conducted earlier this year, it was discovered that 26 percent of charities and 39 percent of businesses in the country had experienced cyber security assaults or breaches in the previous 12 months – and these are just the ones that were reported.

While taking preventive measures is essential to safeguard against cyber threats, it’s also important to be aware that these steps frequently fall short. How well an organization responds to an attack, specifically how well its incident response plans work, will determine how devastating (or not) the impact will be on the business – and ultimately whether it survives.

Nobody can predict if they will be a target. There are too many other factors affecting the risk, including the type and size of your organization, the kind and degree of cyber security measures you have in place and the frequency and level of sophistication of current cyber attacks. The effect they have, though, does depend significantly on the recovery and response plans you have in place. It may be much wiser for all organizations to anticipate that they will have a cyber breach, regardless of what it does or how big it is, and alongside its preventative measures, work on how to identify, contain and recover from one.

Getting incident response right

The first step is to be aware of risks. To help identify assets, threats, vulnerabilities, impacts and controls, a cyber risk assessment should be conducted. Compiling a successful incident response strategy and putting a plan in writing that will work for your organization can only be done after a cyber risk assessment is completed.

In simple terms, an incident response plan defines roles, duties, processes and guidelines for handling a cyber incident. An organization could regret not having one even though it intends to never need one. Complacency is a serious risk, often heightened where cyber defenses and good information security practices have been invested in. The phrase “it couldn’t happen to us” is as much a warning signal as very low cyber security awareness.

For many organizations, especially SMEs, a good cyber incident response plan will require input from an external provider. It will also specify the use of an external incident response provider as part of the plans, sometimes dependent on the severity of the incident and often because of a lack of in-house resources in SME businesses.

Perhaps unsurprisingly, the UK government’s 2022 Cyber Security Breaches Survey indicated that smaller firms have a harder time creating incident response plans and are therefore less prepared for a breach. This is often down to a lack of internal expertise and capacity, along with an assumption that attacks only happen to bigger organizations.

Choosing a provider is also a significant challenge. It is essential to be able to trust them and rely on them to have the knowledge and expertise your organization needs. This is partly why the UK’s NCSC has expanded its Cyber Incident Response (CIR) program, in collaboration with delivery partners like CREST. The program, which gives access to assured incident response specialists, now covers support for all organizations instead of only those of national significance, in recognition that every firm runs the risk of a costly breach.

Data breach detection, analyses and recovery

When confronted with a cyber attack or data breach, an organization can quickly follow the protocols and principles laid out in its incident response plan. Following the plan helps an organization detect, contain, analyze and recover from an incident. This way, it stands a chance of preventing or lessening the damage and impact of an incident.

The right service provider needs to be chosen to help SMEs put a clear plan in place and, if the need occurs, to implement it. Every organization will greatly benefit from this, including faster response times and lower recovery costs, increased stakeholder communication, mitigation of any legal or regulatory repercussions and discovery and correction of the breach’s root causes.

It is not just about the advantages if there is a breach; it may also increase customer, employee and investor trust in the company by showing it is ready in the event of a cyber attack.

Choosing the right service provider will undoubtedly make a big difference in how quickly and effectively an organization handles a security breach. Some things to look for in a provider are experience and expertise, scope of services, litigation support and response time. External validation of these things is really valuable.

Programs like NCSC’s CIR Assured Service Provider and CHECK Scheme, as well as CREST’s corporate accreditation in Incident Response, Penetration Testing and Threat Intelligence, all help SMEs to select providers with confidence so that when the worst happens, they are ready for it.