How SMEs protect against hacker attacks

No IT system is 100 percent secure against hacker attacks. Small and medium-sized enterprises are often the target because they have fewer financial or human resources than large companies and are less able to protect themselves. However, as the Hacker Year in Review from the NZZ newspaper shows, large companies and even the Confederation are not immune to attacks: In June 2023, during the visit of Ukrainian President Volodimir Zelensky, the websites of Parliament, Swiss Post, Swiss Federal Railways, the Federal Department of Justice and Police (FDJP), and the cities of Zurich, Lausanne, St. Gallen, Montreux and Schaffhausen were paralyzed. In March 2023, the NZZ itself became a victim. Cyber criminals stole confidential data and encrypted files and blackmailed the publisher. The article "Criminal hackers attack and blackmail the NZZ: Record of a crisis" impressively describes how a cyber attack works and how serious the consequences can be.

Why cyber resilience is so important

Every week, the National Cyber Security Center receives several hundred to 2,000 reports of cyber incidents. Everyone is at risk: governments, critical infrastructures such as energy suppliers or hospitals, state-owned enterprises and corporations. But also small and medium-sized enterprises. SMEs must therefore prepare themselves organizationally and technically for attacks, raise their employees' awareness of IT security and data protection, and strengthen their cyber resilience. In psychology, resilience refers to the ability to cope with difficult life situations without any impairment. In cyber security, resilience is the ability to protect against cyber attacks, recognize them, respond immediately and recover quickly from the consequences.

How cyber criminals attack SMEs

Cyber criminals are constantly developing new methods and perfecting them. These are their most common attack variants:

• Phishing: People are the weakest link in any IT security chain. This is why cyber criminals try to manipulate their victims by means of social engineering and, for example, get them to disclose passwords, reveal confidential data or click on a link. The most widespread is phishing with emails or messages that pretend to come from a trustworthy source.

• Ransomware: Cyber criminals infiltrate the IT system, download all the data, encrypt it and block the system. They then demand a ransom, hence ransomware, for the return of the data and the release of the system. If the victim refuses, they threaten to publish the data or sell it on the dark web.

• DDoS attacks: Cyber criminals trigger thousands or millions of requests to a network, server or website. These requests overload the system until it collapses and, for example, an online store is no longer accessible. The malicious data traffic often only stops when the victim pays a ransom.

How SMEs protect against hacker attacks

When it comes to IT security and data privacy, the whole is greater than the sum of its parts. Regular backups, a firewall and an up-to-date virus scanner are useful, but are not sufficient on their own to protect the IT system and data. This is why companies, regardless of their size, need a holistic strategy. The strategy is based on risk assessment and risk management, organizational and technical protective measures, training and awareness-raising for all employees, emergency provisions and an emergency plan.

Risk assessment and risk management

If you want to control risks, you have to be familiar with them. With a risk assessment strategy, companies can identify potential risks and derive sensible measures to minimize them. The three most important elements of an effective risk assessment strategy are:

• Defining objectives, identifying potential risk factors and determining how to assess the impact of cyber attacks.
• Identifying the assets and data that are vital to the company's survival, introducing organizational and technical protective measures, and prioritizing the critical assets and data in the risk assessment.
• Defining, introducing and applying methods, techniques and tools to quantify risks, identify vulnerabilities and minimize risks. For example, threat models, risk matrices or vulnerability analyses.

Organizational and technical protective measures

Companies that want to protect their IT and data effectively need to rethink their approach to IT security and data privacy, adapt their processes and introduce suitable tools:

• Every SME needs a risk analysis of all systems and data worth protecting, as well as professional crisis management with an IT contingency plan. In addition, all employees must receive regular training in the secure handling of data and emails and be made aware of potential vulnerabilities.
• Access rights must be deleted every time someone leaves the company, checked every time there is a change of function and updated once a year. Passwords must be changed regularly and must not be shared with anyone. Remote access should be limited in time and space and well protected, for example by a multifactor authentication solution.
• The operating system, all programs, the virus scanner and the firewall must be constantly updated. All data must be backed up regularly – important data daily or even more frequently. Data must not simply be overwritten during backups, as otherwise historical data will be lost. A copy of the current backup must be stored separately from the network so that the data is also available after an attack.

Train and sensitize employees

The greatest weakness in any IT security concept is the human element. Cyber criminals exploit this with social engineering (see «How cyber criminals attack SMEs»). Companies must therefore make their employees aware of issues such as phishing, passwords and secure surfing. Regular training, clear guidelines and simple processes create a security culture throughout the company and promote a shared sense of responsibility. As IT and data security are a matter for the boss, the managing director, all members of executive management and all supervisors should set a good example and emphasize the importance of IT security and data privacy in their company through their conduct

Emergency provisions and contingency plan

Prevention is better and cheaper than cure. In the best-case scenario, a prolonged IT system failure "only" costs money; in the worst-case scenario, it costs the company its existence. This is why every SME needs an IT contingency plan to be better prepared for cyber attacks. The IT contingency plan...

• ...documents relevant IT systems, networks and applications, dependencies and possible effects on business-critical processes.
• ...provides templates for communication with customers, suppliers, partners and interest groups such as the National Cyber Security Center (BACS).
• ...contains checklists with tasks and responsibilities for the most likely IT emergency scenarios such as data breaches, hacker attacks or system failures.
• ...lists all documents that may be helpful in an emergency, for example inventory, customer and personnel lists, system and application documentation, or recovery plans.

Violations of the FLDP can be expensive

In Switzerland, the Federal Law on Data Protection (FLDP) and the General Data Protection Regulation (GDPR) of the European Union govern the handling and protection of personal data. The laws stipulate how personal data may be processed and how it, and therefore privacy, must be protected. Companies that violate the FLDP can be fined up to 250,000 Swiss francs. However, the loss of reputation and trust is often more serious and in many cases threatens the company's existence. Companies that want to protect themselves against violations of the FLDP or the GDPR should introduce best practices for compliance management with control mechanisms, guidelines and procedures.

Cyber security: Good advice is not expensive, but valuable

Zurich Resilience Solution supports large companies in strengthening their cyber resilience. The holistic concept is based on prevention and protection against financial risks. The solutions cover all important aspects of IT security and data privacy: Zurich Resilience Solutions...

• ...develops risk assessment strategies with companies, identifies critical assets and data, and recommends techniques and tools for risk analysis and mitigation. For example, data privacy audits, penetration tests or vulnerability scans.
• ...advises companies on the introduction of physical or network-based security measures, such as anti-malware programs, firewalls or encryption technologies and monitoring solutions for monitoring the IT network.
• ...trains and sensitizes employees with respect to the topics of IT security and data privacy. Including with the Cyber Escape Game, which simulates cyber attacks and teaches employees in a fun way how to react appropriately to threats.
• ...advises companies on data privacy issues and supports them in complying with all data privacy laws and regulations. This includes using best practices for compliance management and real-time checks on the compliance of their third-party providers.

Useful links

• Report a cyber incident to the cantonal police
• National Cyber Security Center (BACS): Information for companies
• National Cyber Security Center (BACS): Report a cyber incident to the BACS
• National Cyber Security Center (BACS): Report vulnerability
• Swiss Crime Prevention: Focus Internet
• digitalswitzerland: Infrastructure & Cyber Security