Boosting the cyber-resilience of Europe’s SMEs
With fewer resources than larger corporations, small to medium-sized enterprises (SMEs) often find it challenging to invest in cybersecurity. Furthermore, most employees of SMEs lack a strong understanding of the threat. This can make them vulnerable to cybercriminals with even moderate skills. “Attackers can target a large number of SMEs at the same time by using automated methods,” explains CyberKit4SME project coordinator Luis Carrascal from Inetum, which is based in France. “Attacking an SME along the supply chain also provides cybercriminals with access to systems or services that may be trusted by larger organisations. This provides an attractive path of attack, enabling them to hack into a higher-value target that would be difficult to attack directly.”
Democratising cybersecurity tools
The EU-funded CyberKit4SME project sought to democratise cybersecurity methods, by adapting certain online cybersecurity tools to fit the specific needs of SMEs. In particular, the project team wanted to give smaller businesses the means to monitor and forecast cybersecurity risks, and increase their awareness of various threats. “Equipping SMEs with advanced, low-cost and easy-to-use tools means they will be able to monitor and detect potential threats without frequent recourse to expensive cybersecurity experts,” says Carrascal. To this end, five tools were developed. These include Spyderisk – a risk assessment tool that automates much of the risk assessment procedure – and HORM, a risk assessment tool that models and visualises human behaviour and work processes. The project team also developed Keenaï, a Security Information and Event Management (SIEM) tool that allows users to monitor, through a single-entry point, the whole security of the information system. The Secure Data Services tool enables data to be stored and consumed in a secure and safe manner. Finally, a critical element of the project was the establishment of the Service Ledger, an online platform through which SMEs can securely share cybersecurity information. The project team also developed a training course for using the tools, along with educational material to help employees adopt safer online behaviour.
Success of the CyberKit4SME ToolKit
These tools were trialled with SMEs operating in four key sectors – finance, healthcare, energy and transportation. Here, the effectiveness and usefulness of the tools were validated. “The ToolKit was shown to provide an effective framework for risk assessment and mitigation, covering the full life cycle of systems and applications,” adds Carrascal. “It provides the means to identify threats, analyse risks and introduce security measures that are proportionate to those risks.” The tools also allow for assessing human and organisational risk factors, linked to the design of work tasks, role assignments and responsibilities. Advanced encryption and isolation technologies were also shown to address specific threats to data that is stored, transferred and processed on the premises and in the cloud.
Trustworthy EU digital environment
The end result is that SMEs can better protect themselves by adopting such tools. “All the pilots involved in our project expressed their desire to keep on using the tools after completion of the project,” says Carrascal. Some of the innovations pioneered through CyberKit4SME will now be further developed through a new European project, called NEMECYS. The aim here will be to continue to improve their usefulness and functionality. “The fact that most of our tools have been released as open-source means they are widely available,” remarks Carrascal. “Using these tools will reduce the economic damage caused by harmful cyberattacks and data protection breaches, and help to pave the way for a trustworthy EU digital environment.”
Keywords
CyberKit4SME, cyber, cyberattacks, SMEs, security, cybersecurity, healthcare