How SMBs Can Improve Cyber-Defenses, With Tony Anscombe

SMBs face unique challenges when it comes to cybersecurity. They often have fewer resources than larger businesses and tend to have less expertise internally. Cybercriminals are increasingly viewing SMBs as lucrative targets, with 46% of all attacks today targeting small and midsized organizations.

Expert Insights spoke with Tony Anscombe, the Chief Security Evangelist at ESET, a global cybersecurity provider with over a billion users worldwide, to get his advice for SMBs on improving cybersecurity resilience, including the importance of implementing cybersecurity insurance.

You can listen to our full conversation with Tony Anscombe, on the Expert Insights Podcast:

What Cybersecurity Solutions Should SMBs Be Investing In?

Cyberattacks targeting businesses have become far more sophisticated, Anscombe explains, and the tools that SMBs invest in must evolve too. Traditionally, cyber threats are delivered through email, or phishing, using known malware to breach networks. But now cyber criminals are more commonly using software vulnerabilities as a way into the network, and over 60% of these are entirely unknown to the software vendors themselves, leaving users completely unprotected.

This is why tools like EDR (Endpoint Detection and Response) and MDR (Managed Detection and Response) are so important, Anscombe explains. “EDR is an endpoint agent, it’s a sensor on the endpoint that’s looking at everything that happens on the endpoint, the traffic flow, the processes that are running, who it’s communicating with, etc. All that data then goes back into a central system, and it’s analyzed for anomalies in traffic, alerts, and indicators of compromise in the networks. That’s the way you stop today’s cyber-attacks.”

“MDR, which is a managed version of that service, is super important. MDR is a 24/7 scenario. If you’re a small or medium business, you might that have that 24/7 team internally. But also, the people that are doing it, are only doing that one thing, because they are security analysts. It frees up your internal resource to do the more interesting stuff. You might get better retention of your team because they’re doing the more interesting things, and you outsource the day-to-day operations.”

Do SMBs Need Cybersecurity Insurance?

With the average cost of a data breach for small businesses sitting around the $800,000 USD mark, cyber insurance has become an important consideration for SMBs. “That’s enough to sink a lot of small businesses. So, if I’m sitting on the board of that business and looking at the risk to that business, would I take cyber insurance? The answer is yes,” Anscombe explains.

Cyber insurance has evolved over time, from a traditional coverage-based service to a more active component of cybersecurity strategy. “I sit on the fence with this on a regular basis,” Anscombe says. “When cyber insurance became popular it was: ‘well hang on a minute, they’re paying the bad guys!’ And they weren’t really promoting the need for additional security, not three or four years ago.”

But in 2021, there were massive payouts from cybersecurity insurance claims, and insurers began to realize that by helping companies to have better cybersecurity defenses, they wouldn’t have to pay out on so many claims, Anscombe explains. This is why cyber insurers are now starting to ask for EDR, XDR, MDR, and multi-factor authentication before they agree to insure companies.

“The cyber insurer, if I take the right policy, is going to provide me [with] crisis management, [and] forensic teams. They’re going to provide incident response teams. So, they’re going to provide me some of the expertise that I actually need if we end up in that scenario. So, to me, cyber insurance is probably more important at an SMB level than it is enterprise.”

Many cybersecurity vendors are also now beginning to offer cyber warranties – a kind of breach insurance that means vendors will payout to companies using their product if they suffer a data breach. This could be seen as just a sales gimmick, Anscombe says, but there is a hybrid approach emerging, where the vendor can deploy certain tools to monitor what’s happening inside the network, and the provider will guarantee to pay out a certain amount in the case of a data breach.

“That mix between cyber insurance is interesting… So, If I was in a small business, from a business risk standpoint, I would be seriously looking at cyber insurance. They are doing some of the hard graft for you of understanding which are the important bits. I was on the fence to start with cyber insurance, and I remain on the fence. But I now see that actually, they’re promoting cybersecurity at the same time. But they need to stop paying the bad guys!”

How SMBs Can Improve Their Overall Cybersecurity Posture

It is a challenge for any company to stay focused on cybersecurity, Anscombe says, and for SMBs in particular to have the resources to hand to understand what they need to be doing. Cybersecurity frameworks like Cyber Essentials in the UK, and CISA’s small business guidelines in the US, can be an important way for SMBs to build out their cybersecurity defenses, Anscombe explains.

Following one of these frameworks can help small businesses to prioritize and start thinking about cybersecurity policies they may have missed. “There are the more obvious ones, like patch management, vulnerability management, but there’s also zero trust and identity management. There are so many different elements to this, that actually to me, following a security framework is super important.”

“But the most important thing for small businesses, that they probably don’t do, is tabletop exercises. For big companies, this is a frequent thing. They frequently do tabletop exercises to make sure they’re in a good spot. Simple things, like have you got a list of all the people you need to call, written on paper? Because you might not have access anymore.”

“Understanding who needs to be around the table, and the roles of people around the table. And remember, a cyber-incident doesn’t necessarily need to be a malicious attack. A cyber incident might be a significant power outage that takes you offline for three, four days. It doesn’t necessarily need to be malicious.”

Listen to the full conversation with Tony Anscombe on the Expert Insights Podcast: