The war in Ukraine has brought to the surface the increasing threat of cyber attacks against Europeans. These attacks are not only targeting governmental actors, critical infrastructures, and media, but also businesses, including small businesses.
Small businesses are the backbone of the European economy. They are small but, put together, they constitute almost 99% of all businesses. And today, each and every one of them uses digital tools, even if the business itself is not online, which opens the door to cyber attacks. Yet, most of these small businesses are not sufficiently protected, and attacks on many of them have already been prepared in a way to take them out of business with a simple push of a button.
Stories about phishing (or smishing) campaigns such as Flubot, and ransomware attacks can be frequently spotted in the news. The war in Ukraine has further increased the threat, making cyber attacks targeted to European companies more tangible than ever. These attacks don’t target only the big players, but also small ones that often aren’t as strongly protected, and are easy prey for cyber criminals, especially since these businesses come as large in numbers. “A successful attack can paralyse and, in the worst (and unfortunately common) case, bring them permanently down,” says Euplio DiGregorio, Vice President of SKV, a Swiss small business association. How well small businesses are protected against the rising digital threats is extremely important for the entire European economy.
Think about any small business around you – the company you work for, your hairdresser, the café near your house, the garage where you bring your car. What do you reckon: Do they store the phone number, email, and other data of their customers securely and in compliance with the data protection rules? Would their employees recognise a phishing email or SMS? Do they use a password manager? Could you be affected if any of them has an incident?... Right.
With scarce financial resources and lack of time, cybersecurity is understandably not the number one concern to a busy entrepreneur. The risks do not seem tangible enough (until they materialise, that is), and taking immediate actions might not feel like the priority. “Small businesses typically use the digital tools that are easily available – those that they can access, afford, and use with ease – and how secure they are is not the first criteria to select them,” explains DiGregorio.
Even if an entrepreneur considers the risk important enough to take action, chances are they find themselves in a dead end before even getting started. “What are the risks I should think about? What to do about them? What tools should I use? How much is a reasonable amount to pay for those tools? Do they really protect my business?,” asks Heike Klaus, Founder of e-abo, a company offering a mobile app for course administration. “I’m no expert in cybersecurity. I have no idea,”* she says. Few micro-enterprises, single entrepreneurs, or startup founders have the expertise to define the best measures to improve the cybersecurity of their company. One option is to hire a consultant to deal with the issue. This comes with costs, and uncertainty of whether the consultant understands the company’s needs. Another option is to shoot blindfolded and choose some tools or services that seem like a good match. Chances are that they are not.
So what do small businesses need to be better protected? “First of all, they need to be aware that risks exist. After that, they need a clear starting point – what to do first – to gradually begin to understand the biggest risks, take control, and make informed choices about their priorities,” answers Samuel Fricker, professor at FHNW and coordinator of the EU funded Horizon 2020 project GEIGER that is developing a cybersecurity solution for small businesses. “Small businesses need to be empowered, but at the same time, we all know that cybersecurity is not plain sailing. Support, someone they can rely on, should be available, in case something goes wrong or something is unclear,” he continues.
Perfect cybersecurity does not exist. No company, big or small, is ever hundred percent protected. However, if businesses that at this moment have no or few concerns about cybersecurity take the first steps and improve their level of protection, even just a little, that can make a significant difference in the business as well as for us as a society. Simple measures like better password and data management, device and network protection, or training your staff to spot phishing attempts are relatively easy and cheap to implement – once you know those are the measures you should take – and can make all the difference. Up to 95% of the cyberattacks happen because of a human error. Awareness and empowerment are the key.
“The GEIGER project, part of the EU funded Horizon 2020 programme, has been for the past two years building on the idea of offering to small businesses – especially to those that are not IT-savvy or do not clearly understand cyber risks – a starting point and tools to keep improving their cybersecurity,” Fricker explains.
“Small businesses can evaluate their overall level of cybersecurity using the simple traffic light offered by the GEIGER app: red, yellow, and green. Based on the device scan, the company's ICT infrastructure, industry and location, as well as the cybersecurity skills of the staff, the app gives a score showing how secure the company is. It also lists the biggest risks, and proposes actions to start improving the score. The recommended actions can vary from installing a tool or taking training to changing the settings of the device, and the user has the control over what actions to choose,” Fricker continues.
The app is simple and intuitive, but when dealing with complicated and technical issues, it happens that everything does not go smoothly. “In addition to recommending tools and actions, GEIGER also allows small businesses to connect through the app with cybersecurity experts, and get help and support when their own skills are not enough to solve a situation. This is an absolutely critical point that most cybersecurity solutions do not address,” he points out.
How to reach small businesses, to equip them with the knowledge, skills, and tools that are useful for them? This is one of the biggest challenges in boosting their cybersecurity. GEIGER has developed training courses that are offered by cybersecurity training providers to their clients, but also integrated to existing study programmes of both IT and non-IT education providers. “In Switzerland, one of the GEIGER pilot countries, the vocational school Berufsfachschule BBB offers to its students a course in cybersecurity, and in using the GEIGER app as a tool for a small business to improve their digital security. When the students start working as apprentices, often in a small business, they bring their knowledge to their company. Small business owners and employees learn about cybersecurity from their peers as trusted advisors educated within GEIGER, which has proven to be an efficient way of raising their interest and spreading awareness,” Jessica Peichl, Research Associate at University of Education Freiburg, Germany, tells us. With her background in media education, she works on the conceptualisation and organisation of the GEIGER educational programme. “Anyone who wants to take responsibility for cybersecurity within their small business is welcome to participate in GEIGER courses to learn about cybersecurity and how to monitor their business with the help of GEIGER,” she continues.
Protecting small businesses against cyber threats is one of the strong ongoing and upcoming priorities among the EU institutions and national governments around Europe. “It is inspiring to see more cybersecurity solutions entering the market, especially when they serve the community of SMEs and start-ups, which are the backbone of Europe's economy. No matter the size of a business, cybersecurity is a measure that needs to be taken seriously, and solutions like this one are a good step. A robust and more aware European cybersecurity industry means a better protected digital Europe!,” concludes Luigi Rebuffi, Secretary General of the European Cyber Security Organisation ECSO.
The GEIGER Beta version is available for Android (and soon for Windows and iOS). It can be downloaded for free from www.cyber-geiger.eu. Any owner or employee of a small business can now enroll in the GEIGER beta trial, start improving their cybersecurity, give feedback, and benefit from the discount for beta testers for future versions of the GEIGER solution.