The Prime Minister extended the third level of alert CHARLIE-CRP in force since February 21, it will be in force at least until March 15, and looking at what is happening behind our eastern border, it will stay with us for a long time. How strongly should startups, small and medium-sized enterprises take interest in protecting themselves against cyber attacks and how to carry out this operation without ruining the budget? The answer for MS was provided by Fudo Security, a Polish cyber security startup.
Damian Borkowski, Fudo Security
How prepared are Polish companies (from the SME sector, our Readers) for a cyber attack at this moment? Comparing the state of 2022 to, say, the beginning of 2021, is it much better?
Small and medium-sized companies are usually more vulnerable because they have limited resources and often do not bother to implement security strategies. If an attack is not detected in time, it can be very costly for them to return to standard operations. In addition, it can take days if not months before such a cyber attack is discovered. In 2021. CISA reported that 43% of small and medium-sized enterprises (SMEs) were targeted by cyber attacks. In 2022, we are seeing more and more cyber attacks in Poland. However, we are also seeing more engagement in programs like the “RP Cyber Security Strategy 2019-2024,” which should generally translate into more security. Basically, I would say that the threat level has increased due to the Russian attack in Ukraine. However, this primarily affects government servers. The impact of cyber threats on SMEs remains about the same as before.
Are SME companies at risk of attacks? Should small businesses also protect themselves, and if so, from which industries most strongly?
All companies are at risk. We see reports from larger companies, such as PGE SA, where Wojciech Dąbrowski, the CEO, said that their IT networks had been subject to cyberattacks. In smaller companies they are also present, but as the detection rate of this type of attacks is lower there, we don’t hear about them so often. In general, both smaller and larger companies should invest time and money in cybersecurity measures, even basic ones such as properly trained staff, adequate security of work equipment, backups, and implemented company security procedures. Of course, there is no rule of thumb, but I would say that the industries most vulnerable to attacks today are the healthcare and finance/banking sectors. But right behind them are the industrial sector, or government institutions.
The simplest and cheapest steps to secure an attack on a small software company are …
The most important thing is knowledge and awareness of threats – and this is true at every level of the organization. With proper training and education, people responsible for security in the company can then pass this knowledge on, or create and implement appropriate security procedures. Next, we should remember about other basic security measures, such as regular updating of software that we use, introduction of MFA (multi factor authentication) in company systems, implementation of automatic backup mechanisms, firewalls, anti-virus software, data encryption mechanisms or access to company resources hidden behind VPN. In case of bigger companies or companies that are more exposed to attacks, it is also worthwhile to provide additional security measures, such as implementing PAM (privileged access management) or cybersecurity asset management software in the company. I would also definitely recommend introducing regular security tests (e.g. penetration tests or vulnerability scans).