Authors: Jose Francisco Ruiz (Atos), Manos Athanatos (FORTH)
Cybersecurity and SMEs is a hot topic that has found several difficulties to have a happy ending. Among other issues, some of the more critical ones are the lack of expertise of the SMEs in cybersecurity solutions and functionality, the budget issues, and how to integrate any solution in their day-to-day life. Aiming to fulfill these gaps, the SMESEC project works in an approach that facilitates the adoption of cybersecurity by SMEs in an easy-accessible and budget-friendly way.
SMEs are one of the more important aspects of business in Europe. The European Commission, due to this importance, has defined SMEs with two different ranges: either the size (less than 250 employees) or turnover/balance sheet. Due to this classification, SMEs represent 99% of all businesses in the European Union, with more than 25M organizations in 2018 [1]. They work in very different areas, ranging from support to public administrations to energy distribution or development of cybersecurity solutions.
Regarding the digital transformation and its relation with SMEs, they are the ones that have the most to gain with it. It allows them to level, from the technological point of view, to be in the same playing field as larger organizations. For example, adopting cloud technologies allows them to offer the services online so they can reach an even bigger number of customers. Another benefit is that once they start adopting digital services, they usually continue with more. When they learn how useful it is for their day-to-day life and the impact in business, they tend to continue exploring more technologies. Finally, digitalisation means better communication and work tools, new approaches for old businesses, and improved ways to communicate with customers and employees. All of this has an impact on the business (profitability and competitive), organization and communication (updated and clearer processes and distributed decisions), and the growth of the company (attracting new talent and opening new frontiers).
Even though all of these benefits, the primary goal of SMEs is not to go digital. One could wonder why, if it brings so many perks and profit, they are so reluctant to adopt it. The answer is the view they have of this paradigm: digital services are expensive (more oriented to medium-large enterprises), digitalisation requires experts (and expertise), and, finally, cybersecurity.
Cyberattacks are one of the main issues for SMEs...and they are the main target of malicious attackers. In 2019, 43% of the cyberattacks targeted small businesses [2]. The attacks detected were of very different natures: hacking (52%), social attacks (33%), malware (28%), etc. This shows how it is not necessary to have only technical solutions updated and ready in the organization but also have your employees aware and mindful about cybersecurity. As why are they the main target it is easy to understand: they have more resources that could provide benefit to attackers than a person and has way less protection than a large organization. So, if you have a digital presence, you are a target. Maybe not today, but tomorrow.
Using a basis all the previous constraints and issues described before, the project SMESEC aims to provide a solution for SMEs that fulfills three critical issues: technical security, human and organizational context, and budget-friendly. On the technical side, we offer a unified dashboard with SME-tailored information, focusing on visual information and alerts. This was identified as a key element from the SMEs of the project, and as the feedback, we obtained from talking/compiling information from external ones. Also, the architecture is based in modular design in order to make possible its extension in the future with new tools, either update of the current ones we use or other ones. The idea behind this approach was that cybersecurity is always on the moving, dynamic, and new technologies and threats appear daily. Therefore, we knew with the current tools we had, it would not be possible to protect any type of SME for the future, so we had to make it possible to extend it in an easy way. Additionally to this, we have developed an API for third-party solutions so they can be integrated easily and using popular and actual technologies.
Together with the technical aspect, one element that was heavily requested/asked by the SMEs we interviewed was the possibility to have support or recommendations. As commented previously, SMEs do not have either experts of cybersecurity or expertise in the area. Therefore, it was very attractive to them that any solution they buy can give them recommendations in terms of cybersecurity. In this way, SMESEC supports this requirement in two different ways: on the one hand, several technical solutions integrated can provide recommendations about how to react to identified attacks. For example, if an attack targeting the availability of a digital service is detected, it is recommended to ban a list of IPs trying to access it (denial of service attack). On the other hand, the coaches provided in the human context area give many recommendations for prevention and protection. For example, it can give employees ideas about how to create a good password or how to behave in case of finding a USB in the street. From our point of view, prevention and decision support are as important as protecting the data of an organization, and we emphasized this aspect as another key aspect of the project.
Regarding the human approach, we have focused on two different aspects: training and coaching. For training, we have integrated into SMESEC a web portal that contains different courses about technical tools, methodologies for having cybersecurity-by-design or protection against social attacks, among others. The training platform allows to have the courses in different languages too, keeps track of the completion of the courses, and can also link/integrate external courses of other platforms, which we use for taking advantage of European portals offering free courses (e.g., ENISA, CONCORDIA, etc.). Regarding the coaches, we have developed a tool called CySec that allows creating, use and assign training to different types of employees, provide recommendations (such as what tool to use in your organization bearing in mind its characteristics), and do self-assessment coaches, which are tracked for all employees, allowing for them to see how is their cybersecurity level in different areas and how they are progressing during their lifetime.
Finally, for the business approach, we had a long debate about how to make it possible for SMEs to use our solution, as one of the main constraints we had from them was "sounds great but how expensive it is." For this reason, some of the approaches we took were: to focus in offering the platform as a service to SMEs, so the hardware constraints/needs for them is minimum; create different plans for different needs; currently we have three different plans with different costs and an option for using as a trial version; and design the system in a way that it can open the possibility of using it as a marketplace for third-party tools, which would allow other companies to sell/rent their solutions there, making prices go down as the number of options increase. All these options were studied and evaluated with many SMEs, as for us, it would not matter how good our solution is if SMEs cannot afford it.
Due to all the work, we had to do in different areas (technical, human and business), together with the internal testing and evaluation (in the project’s partners pilots on smart city, IoT, smart grids, e-voting) we planned for an open call for SMEs so they can evaluate the different options we had, provide further feedback about our approaches and give us more ideas about how to increase our penetration in the SME market.
The open call enabled European IT-companies from various sectors to use and evaluate SMESEC in their daily activities, benefiting from all the benefits of the SMESEC approach and, then provide an evaluation report to the Consortium covering all its aspects. The open call offered two additional major benefits to the project: firstly, we were able to test and evaluate the SMESEC external API, that allows companies and solutions outside of the Consortium to be added to the security framework. Secondly, a red team was recruited to evaluate both the SMESEC Framework as a whole as well as the security gains of a specific pilot while using it.
The analysis of the report provided by the open call denoted the actual security gains and protection derived from the use of the platform, the rise of cybersecurity awareness which was measured by the CySec tool of SMESEC, the knowledge gain through our training platform and finally the business opportunities accompanying the use of the platform. The business opportunities arise either directly, by integrating their security-related solution and offering it through SMESEC, or indirectly by providing more confidence to their clients from the use of a state of the art security platform and raise in cybersecurity awareness for their employees. Some of the benefits, as reported by the open call participants, are:
Therefore, and being now in our last steps to finish the project, we aim to continue working in the project confronting the more important aspects which are how to penetrate the market of SMEs, as it has been one of the more difficult and interesting tasks, and extend our solution with more tool and resources for employees.
Finally, due to the crisis of the COVID-19, we have been able to identify several ways in which our solution can help to improve businesses of SMEs. For example, our solution is fully accessible online, via the web, so users could access it with any device, being a phone or laptop. This facilitates employees to check the status of their system at any moment from any place. Also, some of the solutions we have, such as the antivirus, can be deployed in all devices of the organization, and the information is correlated in the SMESEC Framework. Admin roles can then check the cybersecurity status of these devices wherever they are and know if any device is not protected as it should. Together with this, admins can assign new training or coaches to the employees about different topics, and they would receive the notifications in their own platform. This functionality also helps the communication of the employees even be working from home or different countries, as the status/information is always updated automatically, and their progress is always stored online. From our point of view, we think SMESEC not only adapts to the new challenges of society but also helps to work in this environment. As a wrap-up, I would comment that the feedback we had from SMEs (external and internal) this era of confinement due to the coronavirus is feeling much more secure upon the use of the SMESEC framework.
From the other side, for the customers of SMEs, the use of a secure platform by the companies is very valuable active because they can trust the usage of digital services and businesses. In this sense, both for the SMEs participating in the project and the ones joining us in the open call, we asked about the impact that SMESEC had for their customers in this period of crisis, and the answer was very positive. From their point of view and experience, the clients using their products in this era of confinement, due to the COVID-19, are feeling more secure in their daily activities and work.
The SMESEC project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 740787 (SMESEC) and the Swiss State Secretariat for Education‚ Research and Innovation (SERI) under contract number 17.00067.
References
[1] European Commission 2020. Link: https://ec.europa.eu/growth/smes/business-friendly-environment/sme-definition_en
[2] Verizon 2019. Link: https://enterprise.verizon.com/resources/reports/dbir