The Cyber Security Challenge for Small & Medium Enterprises (SMEs)
“It is not the strongest that survive, nor the most intelligent, but the one most responsive to change” Charles Darwin.
Did you know that 8 in 10 SMEs that suffer serious cyber breaches and don’t have a plan will go out of business in the following few months?
Risk management is now top of the board agenda with business interruption, reputational damage and cyber crime being the top 3 concerns. The board knows it will face highly resourceful criminals and law enforcement agencies that are overwhelmed by the scale of their task.
Cyber crime is classified as a ‘Tier 1 Strategic Threat’, sitting alongside terrorism, international military crises and major natural disasters. The exponential rise of cyber crime and its global nature has created a virtual tsunami of risk. New laws seek to force businesses to raise their game. They come replete with revenue-based fines and personal liability for those in control functions. Bilateral cross-border jurisdictional agreements are increasing – so best you know where your liability lies. The US is particularly aggressive about chasing foreign miscreants. Criminal convictions and jail time are now real possibilities for those who are negligent with data in their custody.
The challenges facing everyone, and Small and Medium Enterprises (SMEs) in particular, in their efforts to become cyber resilient include:
Language
Gobbledegook: A mystical language (for example, endpoints and sockets for devices and connections) appears intended to confuse.
Endless acronyms: BYOD, AFH, 3DES… add to impenetrability.
Use of language: ‘Cyber security’ when they mean ‘Information Security’ – this probably seems pernickety, but if you say ‘cyber’, then you think ONLY ‘cyber’ – which is what vendors want. Just remember, your threat begins long before you get anywhere near a computer. If a compromise occurs outside your security perimeter, you may never know.
Secrecy
Victims are desperate to avoid reputational damage so keep very quiet whenever they can. Frequently, law enforcement agencies are not informed of a breach. Maybe only 5% – 10% of breaches ever become public knowledge, masking the true scale of the problem and fuelling ignorance-based complacency.
Vendors
Cyber security vendors issue propaganda and then sell expensive ‘solutions’ into it, which an SME can ill afford. These solutions have often been developed with poor inherent security. Then they sell expensive fixes to patch the holes. A complex ecosystem has evolved around this merry-go-round. What their expensive sales force won’t tell you is that there is much that you can do to defend your data before you need to invest in expensive technical solutions.
Too small to be of interest
Many SME companies will convince themselves they have nothing of value to hackers and assume that they are too small to be a target. Bad luck, ALL data has a value and ALL companies and their clients have something which will interest cyber criminals. Regulators are tightening data protection rules and fines for lack of compliance or negligent loss are increasingly becoming revenue-based.
The rules do not apply to us
For now, regulators are focused on financial/critical infrastructure companies and new laws are primarily aimed at them. Nevertheless, up to 80% of data breaches in larger companies enter through vulnerabilities in their supply chain. Suppliers are a constant source of cyber infection. Wherever they can, regulated companies will pass these legal requirements down to their suppliers; companies will be forced (expensively) to comply or step away.
What to do?
In a recent survey, 2% of respondents said that they would sell their company’s data for as little as $10. At $1,000, 15% would.
Criminals are offering $20,000 for Google employee logon credentials, we hear. Google invests much effort in its own security, but it is impossible to make any system totally impregnable. Impossible. Even for Google. The survey mentioned above suggests a reasonable possibility that one of Google’s c.20,000 workforce will sell. Success will buy the criminals a goldmine. $20k will look like an absolute bargain.
Like cars and guns, computers are not intrinsically dangerous. Around 4 in 5 data breaches are initially caused by human error (or, occasionally, a malicious action by an (ex)employee).
A well constructed governance regime, proactive management and a good education and training programme at the heart of any Information Security efforts will ensure a significant lowering of the general cyber risk and increase crisis management capability. In the process you will create many more trained eyes to work with your security staff. That has to be a good thing too.
Then you can concentrate on creating a more robust and cost effective IT security solution. Any acquisition of potentially expensive technology will only be actioned in response to a genuine need. All the above should be guided by a comprehensive threat assessment involving all aspects of the risk (physical, cyber and governance). Strong governance will enable a board to create a comprehensive ‘Information Security’ culture and process throughout the whole organisation.
Recent media coverage has highlighted large branded companies, but as few as 10% of all breaches make the news. Even very large businesses underestimate the extent of the threat. They frequently, therefore, fail to protect themselves adequately and the consequences, both financially and reputationally, are huge.
Mike Britnell
BeCyberSure
