Cybercrime: a growing threat for SMEs

Let’s say you’re the owner of a business that’s doing well. You have loyal employees, happy customers and a healthy balance sheet. But then one morning, you arrive at the office and nothing seems to be working. You can’t access your emails and your customer database has disappeared. What sounds like a nightmare is the harsh reality for more and more SMEs.

More than 40% of cyberattacks target smaller companies. Hackers see them as easy targets because they often have little protection in place. The consequences can be disastrous, from financial to reputational damage. Fortunately, according to Gert-Jan Wille, Head of Cybersecurity at Howest Cyber 3 Lab, there are ways to protect your business. “My interest in cybersecurity started at boarding school, when I tried to download exam papers from the school server,” he says. “I now use my knowledge to make companies more resilient.”

The legal side of cybersecurity

Today, Wille heads a team at Howest University of Applied Sciences that researches cybersecurity. “This subject should be high on the agenda of every company, but many SMEs focus on their core business and they tend to leave cybersecurity on the back burner. They see it as a boring subject that they prefer to delegate to their IT partner, who supplies the computers, creates the accounts and sets up firewalls that make companies feel safe. However, there is often no contract in place to protect them from cyberattacks.”

Wille gives a real-life example of a company that was hacked because one of its passwords was 10 years old. “The hackers gained access to its systems and unleashed ransomware on them, encrypting even the backups,” he says. “The company had a choice: pay up or start again from scratch. It chose the first option, something we don’t usually advise. Fortunately, most of the time you can rely on backups. The worst thing is that human error – committed by employees or the company director themselves clicking on a phishing email – is often at the root of the problem. So it’s important to focus on raising awareness.”

Legislation has become stricter in recent years. “First there was the GDPR and in October the European Union’s NIS2 legislation was introduced to make businesses more resilient. Companies have to meet certain regulations, especially if they operate in critical sectors. Company directors can be held severally liable if they make mistakes. Cybercrime is a multi-billion-dollar industry with criminals working together and exchanging data. So it’s essential to start with simple measures such as multi-factor authentication and network segmentation.”

Wille stresses the importance of making good arrangements with your external partners as well. “Ask about their security policy and legal framework. The question is not whether you will be hacked, but when. And when the time comes, you will need to be able to respond quickly and efficiently. Cybersecurity doesn’t have to be a disaster, provided you’re prepared. I always recommend organising security audits by ethical hackers. And as I mentioned, awareness is key. Don’t let your children download games on your work computer, for example, because a single virus can bring down your entire production environment.”

Mandatory programme

Among Orange Belgium’s services is a programme for security awareness. “These programmes help companies to make their staff aware of the dangers. They should be mandatory, actually,” Wille says.

He also refers to the opportunities artificial intelligence brings to improve security solutions. “But this also carries risks. Remember that a tool like ChatGPT runs on the data it collects, so don’t feed it any confidential data to create a report. The same applies to the entire cloud. The cloud is and will always be someone else’s computer you entrust your data to, even though big players like Microsoft and Amazon are reliable, of course.”

In collaboration with: