feature size matters: cyber security for smbs › wp-content › uploads › ...feature size...
TRANSCRIPT
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jan-Mar 2018 17
FEATURE
FEATURE
SIZE MATTERS:CYBER SECURITYFOR SMBSBY FRASER TENNANT
That a cyber attack is afforded significantly
more column inches when the victim is a large
multinational rather than a small to mid-sized
business (SMB) is an obvious assertion and one that
is hard to deny.
Yet while larger companies have been and will
continue to be the most desirable targets for a cyber
attack, the threat facing SMBs is also considerable
and should not be underestimated. Indeed, the
threat to SMBs – often companies that are likely
to struggle with regulatory compliance, budgetary
restraints and prioritising cyber security – is
increasing exponentially.
According to FireEye, there are four main reasons
why cyber attackers target SMBs. First, they are
considered easy targets (65 percent of SMBs have no
data security policy). Second, they represent low risk
and high returns (only 10 percent of cyber crimes
reported to police by SMBs result in a conviction).
Third, they use outdated security (cyber attackers
bypassed multiple layers of security in 96 percent of
SME deployments in a real-world study). Finally, they
are largely unaware of the risks they face (58 percent
of SME managers do not see cyber attacks as a
significant risk).
In its ‘Cyber Threats to Small and Medium Sized
Businesses in 2017’ report, Webroot – which
surveyed 600 IT decision makers at firms with
100 to 499 employees in the US, UK and Australia
– discovered that only 42 percent of IT bosses felt
RISK & COMPLIANCE Jan-Mar 201818 www.riskandcompliancemagazine.com
FEATURE
ransomware was a major external security threat,
despite the global impact of the WannaCry and Petya
attacks in 2017.
In the UK, a report by the Federation of Small
Businesses (FSB) – ‘Cyber resilience: How to protect
small firms in the digital economy’ – notes that SMBs
are the victims of around seven million cyber attacks
per year, crimes which cost the UK economy an
estimated £5.26bn in 2014 and 2015. The FSB also
found that the average number of times that SMBs
had been a victim of cyber crime over a two-year
period was four.
With cyber attacks using phishing and ransomware
now considered the new normal in an increasingly
digitised world, SMBs need to avoid assuming they
are too small to be a target.
SIZE MATTERS: CYBER SECURITY FOR SMBS
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jan-Mar 2018 19
FEATURE
SMB cyber attacksSMBs tend not to have recourse to extensive cyber
security resources, thus making their data a prime
target for hacking. “Cyber criminals often take the
least resistant route to extract data properties from
organisations,” explains Edward F. Wall, president
and chief executive of NETSHIELD Corporation. “This
makes SMBs more likely to suffer an attack and,
more often than not, less likely to be able to quickly
recover from their negative impacts.”
Yet while today’s cyber threat landscape is diverse
and constantly evolving, the modus operandi of
cyber criminals has hardly changed over a period
of 20 years. “The Anna Kournikova and ILOVEYOU
viruses were computer worms that attacked tens of
millions of Windows personal computers in 2000 and
2001, respectively,” says Mike Gillespie, managing
director of Advent IM Ltd. “Both were basically
phishing emails – still the likeliest attack vector – that
users clicked on to infect systems. This is what cyber
criminals still do. People are the biggest vulnerability
and also where the least security resource is
placed.”
In the view of Jens Monrad, a senior intelligence
analyst at FireEye, cyber attacks may soon push
SMBs toward breaking point. “When they are hit
with increasingly sophisticated cyber attacks like
ransomware, they struggle,” he attests. “These
attacks are good enough to bypass legacy defences
like firewalls and antivirus, and smart enough to
move laterally to other systems and network drives,
to inflict maximum damage. Clean-up is costly and
time-consuming, which can make a big difference to
an SMB.”
Security measuresWith a lack of resources a key issue, SMBs need to
determine what they can realistically do to minimise
the risk of a cyber attack. Then, should an attack
actually take place, appropriate action must be taken
to limit damage and maintain operations in the short
term, while gauging the potential impact of the cyber
attack in the long term.
“Adapting to the ever-changing cyber threat
landscape requires a substantial security
foundation,” says Mr Monrad. “Many organisations
neglect the importance of implementing processes
and having an incident response plan, which is
regularly tested. There is a lot to gain by having
proper processes and this does not start with
investing in new technology. Many SMBs should
begin by reviewing what policies and procedures
they have in place and adapt those.”
For many commentators, a fundamental change
in how SMBs, or all sizes of organisation for that
matter, think about security is what is needed. “The
‘bad guys’ often already know what security assets
organisations typically deploy,” suggests Mr Wall.
“Implementing a multi-layered security strategy is
a critical need in today’s hyper-aggressive cyber
SIZE MATTERS: CYBER SECURITY FOR SMBS
RISK & COMPLIANCE Jan-Mar 201820 www.riskandcompliancemagazine.com
FEATURE
landscape and I strongly advocate starting with
security from the inside out.”
Much of the criticism levied at organisations
centres on the habitual deployment of security at the
perimeter and endpoint, for example the operation
of networks referred to as ‘Trusted LANs’ (LANs
being the point at which trusted users typically
access networks and server resources).
“Organisations have little to no
insight into what assets connect to
these networks and even less ability to
enforce and control these connected
assets,” says Mr Wall. “In general, it
is pragmatic practice to operate and
plan as though your organisation will
be breached. Building a recovery plan
in advance of an actual event helps
organisations think through what
is at stake. Considering things like
encryption, backups and robust multi-
layered security infrastructure are critical.”
Compliance mattersCompliance with a raft of regulations is a major
challenge for businesses, with the forthcoming
General Data Protection Regulation (GDPR)
– enforceable from 25 May 2018 – requiring
compliance or payment of large fines in the event
of a data breach. SMBs must therefore develop
strategies to keep the regulatory wolf away from the
door.
Key to this is having a sound understanding of
organisational objectives and information assets,
as well as pertinent standards and regulatory
requirements. “An information management risk
and security strategy should encompass all of this,
advises Mr Gillespie. “Embrace standards such as
the Cyber Essentials programme and the ISO27001
specification, because they are good for business.”
To evidence good security posture – often a
requirement for public sector tenders and valuable
private sector contracts – and ensure compliance,
organisations would be well-advised to invest in
government mandated cyber security frameworks,
including standards created by the National Institute
of Standards and Technology (NIST). “GDPR is just
around the corner and it will be important for SMBs
to address the new updates, as well as getting
SIZE MATTERS: CYBER SECURITY FOR SMBS
“SMBs may have very valuable information assets, but if the mindset is one of indifference, then they will not have those assets very long.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jan-Mar 2018 21
FEATURE
a clear understanding of the elements they are
required to comply with,” says Mr Monrad.
“In a nutshell, organisations should plan to prepare
for compliance or prepare to pay fines for lack of
compliance,” adds Mr Wall. “It is becoming a reality
as regulatory enforcement and auditing impacts
both large and small organisations. Compliance is a
business operation reality SMBs must prepare and
budget for.”
The reality of ‘too small to target’Clearly, cyber attacks on SMBs have accelerated
in recent times – a reality that drives a stake through
the heart of the notion that smaller enterprises are
too small to be a legitimate target for cyber attackers
with far-reaching intent. The issue then becomes a
question of where on the SMB list of priorities cyber
risk exposure should rank and, crucially, how to
overcome a reluctance (believed by businesses to be
widespread) among SMB bosses to implement clear
policies and procedures to address said risks.
“It is hard to prove that diverse groups of
businesses will all possess the same attitudes,
but some research does allude to a lack of senior
management buy-in being an issue,” suggests Mr
Gillespie. “Failure to recognise that your business
may be a target is a great vulnerability, as is a lack
of understanding as to the value of the information
assets you have. SMBs may have very valuable
information assets, but if the mindset is one of
indifference, then they will not have those assets
very long.”
In many cases, it is less about reluctance and more
to do with a failure to prioritise. “Research shows us
that business leaders are not fully conversant with
cyber threats, and without a senior champion to
set culture, the challenge will continue to be one of
adequate resource, training and awareness, policy
and procedure, and overall behaviour,” says Mr
Gillespie.
“It is an easy mind game to play in trying to
reassure yourself that nobody will try to breach
your systems because your company is too small,”
notes Mr Wall. “Unfortunately, it is not a game
of chess, but more a game of Russian roulette.
Organisations of all sizes should highly prioritise
cyber security risk mitigation strategies. The reality
is that cyber criminals target organisations of all
sizes, but are more likely to find access into an
SMB precisely because they know those targets
do not have the budget or expertise to adequately
protect themselves. Fortunately, awareness is ever-
increasing, but the ability to appropriately resource
this growing risk falls down the priority ladder until a
breach occurs.”
Size of the SMB cyber security taskWith the number of cyber attacks within the
SMB community growing rapidly compared to
their larger counterparts, the task facing smaller
enterprises cannot be underestimated, and certainly
SIZE MATTERS: CYBER SECURITY FOR SMBS
RISK & COMPLIANCE Jan-Mar 201822 www.riskandcompliancemagazine.com
FEATURE
not ignored. While there are many plug and play
packages available, such as firewalls, anti-malware,
anti-ransomware, etc., and which purport to be
‘solutions’ to cyber threats, they are often nothing of
the kind and are likely to give organisations a false
sense of security.
“For SMBs operating under the principle of
‘security through obscurity’, a common tenet – fail
to plan or plan to fail – becomes relevant,” says Mr
Wall. “Posture balances on budget and technical
ability, which creates a challenge for the cyber
security market. However, in an SMB, where there
is much at stake, more is required. It is not enough
to know that a perimeter breach has been detected
and your systems are racing to limit the damage.
The SMB must establish the trusted LAN to know
who or what is already inside and instantly block any
unknown or untrusted assets to protect themselves.”
Another potential solution is to outsource cyber
security responsibilities. “Outsourcing security to
professionals makes many SMEs more productive,”
Mr Monrad contends. “Many SMBs aspire to be
larger enterprises but without strong security they
can easily fall victim to cyber criminals that target
organisations with less mature defences. “
As organisations around the world continue to
reel (whether directly or indirectly) from a series of
cyber attacks, there are security issues aplenty that
need to be addressed, regardless of the size of the
entity concerned. That said, for the SMB community
in particular, the challenges are obvious, even if the
ultimate solution to their cyber security conundrum
is much less clear. RC&
SIZE MATTERS: CYBER SECURITY FOR SMBS