The UK official National Cyber Security Centre (NCSC) has brought out online services guidance written for small and medium sized enterprises (SMEs), who may be overwhelmed by the NCSC’s cloud security guidance (as it’s aimed squarely at IT professionals and contains a lot more technical details).
As the guidance says, many SMEs already rely on online services for day-to-day tasks, even if they’re not aware of it. This includes email and instant message communications, cloud storage, website or shop hosting, online accounting and invoicing, or using social media to engage with customers. How long could the business operate without these critical functions if you couldn’t log onto your computers as a result of (for example) a ransomware attack? Or if locked out of an online account? And the business does not have access to dedicated IT or support staff?
More on the NCSC website.
Comment
Tim West, Head of Cyber Threat Intelligence at WithSecure, welcomed the guidance. “When it comes to cybersecurity, unlike large enterprises, small businesses usually don’t have the budgets to devote to a dedicated in-house security team. And where a lot of the complexity is hidden from users of cloud services, simple guidance to ensure a minimum standard of cyber hygiene can lift any organisation out of the scope of many opportunistic, yet still impactful, threats.
“Cloud services, with their new interfaces, APIs, and communication channels, expand the potential attack surface for attackers. And we know that these provide an ideal entry route for attackers to exploit. Furthermore, such use of off premises technologies erodes the traditional model of ‘perimeter-based’ defence and encourage threat actors to target users’ identity. This is something we see often.
“One of the key things small businesses should be checking for is misconfigurations occurring in cloud services. Misconfigurations can lead to security vulnerabilities, data exposure, and operational issues. If a small business has an IT team, they should conduct regular security audits and implement automated continuous monitoring, which will take some of the burden away from the IT team.”
See also https://www.ncsc.gov.uk/section/information-for/small-medium-sized-organisations.
