SMEs are seen as ‘an easy target’: Advice to prevent cyberattacks

19 Apr 2023

Image: © Romolo Tavani/

Cybersecurity expert Colm Murphy gives a step-by-step approach for SMEs to prevent and mitigate cyberattacks.

With more than 20 years in cybersecurity, Colm Murphy started working in the industry before most people had even heard of the word. “I joined a cybersecurity service provider straight out of university and have stayed in the industry in various shapes and forms since then.”

Murphy is currently a senior cybersecurity adviser for Huawei. His previous roles include director of cybersecurity and information resilience at BSI and a director at Espion.

His years of experience make him well placed to offer advice for small and medium enterprises (SMEs) to prepare for and deal with cyberattacks.

SMEs comprise 99.8pc of active enterprises in Ireland. According to Murphy, “SMEs are a vital component of the Irish economy”.

Murphy cites a 2021 survey by the EU agency for cybersecurity, Enisa, which revealed that 57pc of SMEs fear their company will go out of business because of a cyberattack. He thinks it is crucial to give companies the guidance and resources they need to manage the ever-expanding cyberthreat landscape and assuage some of those cyber fears.

‘The sign of mature cybersecurity is not whether you suffer a breach, but how well you handle the situation when it does happen’

Identifying common threats

The Covid-19 pandemic and rapid technological advancements have meant that SMEs have had to accelerate their digital transformations.

The result of the “rapid transition to digital operations and offerings”, according to Murphy, has meant that “the risk of cybersecurity attacks increased too”.

“Cybercriminals view SMEs as an easy target because they often have fewer resources and less sophisticated cybersecurity measures compared to larger enterprises,” Murphy explains.

He lists the most common cyberthreats faced by SMEs as phishing attacks, ransomware, malware, insider threats and social engineering attacks.

“A cybersecurity breach can have a significant impact on an SME’s finances, reputation and ability to operate,” Murphy says. Therefore, it is important for companies to ensure that their staff understand and can identify the several types of attacks they are vulnerable to and learn how to lower the risks of attack.

Preventing an attack

To mitigate the most common risks, Murphy advises SMEs to invest in cybersecurity solutions, including firewalls, antivirus software and intrusion detection systems.

He also recommends implementing cybersecurity policies and procedures, training employees on best practices, and regularly conducting risk assessments to identify potential vulnerabilities.

Actions such as strong access controls, staff/user reporting procedures, data backup and recovery processes, up-to-date malware, and incident recovery plans, all help to ensure effective cyber hygiene.

Murphy claims that “following the rules of basic cyber hygiene will go a long way towards protecting any organisation, large or small, from an attack”.

He also recommends the following resources: EIT Digital, the Global Digital Foundation, the National Cybersecurity Centre (NCSC) and the Huawei Q&A Guide: Promoting Cybersecurity for SMEs in Europe.

These resources, particularly the NCSC website, “can help inform SMEs on the latest cybersecurity news including cyberthreats and incidents which may affect business operations,” Murphy says.

‘The human element’

Murphy cites a report from Verizon which found that 82pc of data breaches in 2022 involved a human element.

He argues that an “essential element of cyber skills training” for all employees should be about “securing sensitive data and protecting it from theft”.

“Cybersecurity is a shared responsibility and managers should lead the way in communicating very clearly to their staff and explaining concisely what is expected from them to mitigate against cyberattacks in the workplace.”

Responding to an attack

Even with diligent preparation, resources and training, many companies will still suffer from a cyberattack.

For Murphy, “the sign of mature cybersecurity is not whether you suffer a breach, but rather how well you handle the situation when it does happen”.

“The key to a response plan is to act quickly and decisively,” he says.

After a breach occurs, Murphy recommends companies take the following steps:

Contain the breach

The first step is always to identify and contain the breach as quickly as possible to limit the damage. “This may involve disconnecting affected systems from the internet, disabling user accounts or isolating affected devices,” Murphy explains.

Assess the damage

This can involve actions such as “identifying compromised data, assessing the impact on business operations or determining whether any legal or regulatory obligations have been breached”.

Notify relevant parties

Murphy advises that there may be a “legal requirement in some cases” to “notify relevant parties, such as customers, suppliers or regulators”.

He recommends informing the NCSC of the attack to help the organisation “develop a better understanding of the threat environment” and “assist other organisations who may also be at risk”.

Implement remedial actions

It is vital to find the cause of the breach and take steps to prevent it from happening again.

Actions to take may include “patching vulnerabilities, updating security software, or changing security protocols”.

Review security policies and procedures

After a breach, try to identify organisational weaknesses. “This may involve updating security policies, improving employee training or implementing new security measures.”

Seek professional help

Murphy also advises SMEs to consider seeking professional help after an attack. He feels that “cybersecurity experts, lawyers or IT consultants” may be able to help the company “to better understand the nature of the breach and identify appropriate remedial actions”.

‘Don’t wait until it’s too late’

Enacting measures to prevent and mitigate cyberattacks takes time and money. Though SMEs do not have the kind of budgets large corporations have to bolster their cybersecurity, Murphy argues the investment is “critically important” for protecting the products and services of SMEs.

“We have to stop situations where companies realise the need for cybersecurity only after a significant incident – evidently when it is too late.”

To keep costs manageable, Murphy advises a proactive approach that “prioritises risk management and cost-effective solutions”.

“By adopting a proactive approach, SMEs can better protect themselves against cyberthreats without breaking the bank.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Rebecca Graham is production editor at Silicon Republic