feature size matters: cyber security for smbs › wp-content › uploads › ...feature size...

www.riskandcompliancemagazine.com RISK & COMPLIANCE Jan-Mar 2018 17

FEATURE

FEATURE

SIZE MATTERS:CYBER SECURITYFOR SMBSBY FRASER TENNANT

That a cyber attack is afforded significantly

more column inches when the victim is a large

multinational rather than a small to mid-sized

business (SMB) is an obvious assertion and one that

is hard to deny.

Yet while larger companies have been and will

continue to be the most desirable targets for a cyber

attack, the threat facing SMBs is also considerable

and should not be underestimated. Indeed, the

threat to SMBs – often companies that are likely

to struggle with regulatory compliance, budgetary

restraints and prioritising cyber security – is

increasing exponentially.

According to FireEye, there are four main reasons

why cyber attackers target SMBs. First, they are

considered easy targets (65 percent of SMBs have no

data security policy). Second, they represent low risk

and high returns (only 10 percent of cyber crimes

reported to police by SMBs result in a conviction).

Third, they use outdated security (cyber attackers

bypassed multiple layers of security in 96 percent of

SME deployments in a real-world study). Finally, they

are largely unaware of the risks they face (58 percent

of SME managers do not see cyber attacks as a

significant risk).

In its ‘Cyber Threats to Small and Medium Sized

Businesses in 2017’ report, Webroot – which

surveyed 600 IT decision makers at firms with

100 to 499 employees in the US, UK and Australia

– discovered that only 42 percent of IT bosses felt

RISK & COMPLIANCE Jan-Mar 201818 www.riskandcompliancemagazine.com

FEATURE

ransomware was a major external security threat,

despite the global impact of the WannaCry and Petya

attacks in 2017.

In the UK, a report by the Federation of Small

Businesses (FSB) – ‘Cyber resilience: How to protect

small firms in the digital economy’ – notes that SMBs

are the victims of around seven million cyber attacks

per year, crimes which cost the UK economy an

estimated £5.26bn in 2014 and 2015. The FSB also

found that the average number of times that SMBs

had been a victim of cyber crime over a two-year

period was four.

With cyber attacks using phishing and ransomware

now considered the new normal in an increasingly

digitised world, SMBs need to avoid assuming they

are too small to be a target.

SIZE MATTERS: CYBER SECURITY FOR SMBS


FEATURE

SMB cyber attacksSMBs tend not to have recourse to extensive cyber

security resources, thus making their data a prime

target for hacking. “Cyber criminals often take the

least resistant route to extract data properties from

organisations,” explains Edward F. Wall, president

and chief executive of NETSHIELD Corporation. “This

makes SMBs more likely to suffer an attack and,

more often than not, less likely to be able to quickly

recover from their negative impacts.”

Yet while today’s cyber threat landscape is diverse

and constantly evolving, the modus operandi of

cyber criminals has hardly changed over a period

of 20 years. “The Anna Kournikova and ILOVEYOU

viruses were computer worms that attacked tens of

millions of Windows personal computers in 2000 and

2001, respectively,” says Mike Gillespie, managing

director of Advent IM Ltd. “Both were basically

phishing emails – still the likeliest attack vector – that

users clicked on to infect systems. This is what cyber

criminals still do. People are the biggest vulnerability

and also where the least security resource is

placed.”

In the view of Jens Monrad, a senior intelligence

analyst at FireEye, cyber attacks may soon push

SMBs toward breaking point. “When they are hit

with increasingly sophisticated cyber attacks like

ransomware, they struggle,” he attests. “These

attacks are good enough to bypass legacy defences

like firewalls and antivirus, and smart enough to

move laterally to other systems and network drives,

to inflict maximum damage. Clean-up is costly and

time-consuming, which can make a big difference to

an SMB.”

Security measuresWith a lack of resources a key issue, SMBs need to

determine what they can realistically do to minimise

the risk of a cyber attack. Then, should an attack

actually take place, appropriate action must be taken

to limit damage and maintain operations in the short

term, while gauging the potential impact of the cyber

attack in the long term.

“Adapting to the ever-changing cyber threat

landscape requires a substantial security

foundation,” says Mr Monrad. “Many organisations

neglect the importance of implementing processes

and having an incident response plan, which is

regularly tested. There is a lot to gain by having

proper processes and this does not start with

investing in new technology. Many SMBs should

begin by reviewing what policies and procedures

they have in place and adapt those.”

For many commentators, a fundamental change

in how SMBs, or all sizes of organisation for that

matter, think about security is what is needed. “The

‘bad guys’ often already know what security assets

organisations typically deploy,” suggests Mr Wall.

“Implementing a multi-layered security strategy is

a critical need in today’s hyper-aggressive cyber



FEATURE

landscape and I strongly advocate starting with

security from the inside out.”

Much of the criticism levied at organisations

centres on the habitual deployment of security at the

perimeter and endpoint, for example the operation

of networks referred to as ‘Trusted LANs’ (LANs

being the point at which trusted users typically

access networks and server resources).

“Organisations have little to no

insight into what assets connect to

these networks and even less ability to

enforce and control these connected

assets,” says Mr Wall. “In general, it

is pragmatic practice to operate and

plan as though your organisation will

be breached. Building a recovery plan

in advance of an actual event helps

organisations think through what

is at stake. Considering things like

encryption, backups and robust multi-

layered security infrastructure are critical.”

Compliance mattersCompliance with a raft of regulations is a major

challenge for businesses, with the forthcoming

General Data Protection Regulation (GDPR)

– enforceable from 25 May 2018 – requiring

compliance or payment of large fines in the event

of a data breach. SMBs must therefore develop

strategies to keep the regulatory wolf away from the

door.

Key to this is having a sound understanding of

organisational objectives and information assets,

as well as pertinent standards and regulatory

requirements. “An information management risk

and security strategy should encompass all of this,

advises Mr Gillespie. “Embrace standards such as

the Cyber Essentials programme and the ISO27001

specification, because they are good for business.”

To evidence good security posture – often a

requirement for public sector tenders and valuable

private sector contracts – and ensure compliance,

organisations would be well-advised to invest in

government mandated cyber security frameworks,

including standards created by the National Institute

of Standards and Technology (NIST). “GDPR is just

around the corner and it will be important for SMBs

to address the new updates, as well as getting


“SMBs may have very valuable information assets, but if the mindset is one of indifference, then they will not have those assets very long.”


FEATURE

a clear understanding of the elements they are

required to comply with,” says Mr Monrad.

“In a nutshell, organisations should plan to prepare

for compliance or prepare to pay fines for lack of

compliance,” adds Mr Wall. “It is becoming a reality

as regulatory enforcement and auditing impacts

both large and small organisations. Compliance is a

business operation reality SMBs must prepare and

budget for.”

The reality of ‘too small to target’Clearly, cyber attacks on SMBs have accelerated

in recent times – a reality that drives a stake through

the heart of the notion that smaller enterprises are

too small to be a legitimate target for cyber attackers

with far-reaching intent. The issue then becomes a

question of where on the SMB list of priorities cyber

risk exposure should rank and, crucially, how to

overcome a reluctance (believed by businesses to be

widespread) among SMB bosses to implement clear

policies and procedures to address said risks.

“It is hard to prove that diverse groups of

businesses will all possess the same attitudes,

but some research does allude to a lack of senior

management buy-in being an issue,” suggests Mr

Gillespie. “Failure to recognise that your business

may be a target is a great vulnerability, as is a lack

of understanding as to the value of the information

assets you have. SMBs may have very valuable

information assets, but if the mindset is one of

indifference, then they will not have those assets

very long.”

In many cases, it is less about reluctance and more

to do with a failure to prioritise. “Research shows us

that business leaders are not fully conversant with

cyber threats, and without a senior champion to

set culture, the challenge will continue to be one of

adequate resource, training and awareness, policy

and procedure, and overall behaviour,” says Mr

Gillespie.

“It is an easy mind game to play in trying to

reassure yourself that nobody will try to breach

your systems because your company is too small,”

notes Mr Wall. “Unfortunately, it is not a game

of chess, but more a game of Russian roulette.

Organisations of all sizes should highly prioritise

cyber security risk mitigation strategies. The reality

is that cyber criminals target organisations of all

sizes, but are more likely to find access into an

SMB precisely because they know those targets

do not have the budget or expertise to adequately

protect themselves. Fortunately, awareness is ever-

increasing, but the ability to appropriately resource

this growing risk falls down the priority ladder until a

breach occurs.”

Size of the SMB cyber security taskWith the number of cyber attacks within the

SMB community growing rapidly compared to

their larger counterparts, the task facing smaller

enterprises cannot be underestimated, and certainly



FEATURE

not ignored. While there are many plug and play

packages available, such as firewalls, anti-malware,

anti-ransomware, etc., and which purport to be

‘solutions’ to cyber threats, they are often nothing of

the kind and are likely to give organisations a false

sense of security.

“For SMBs operating under the principle of

‘security through obscurity’, a common tenet – fail

to plan or plan to fail – becomes relevant,” says Mr

Wall. “Posture balances on budget and technical

ability, which creates a challenge for the cyber

security market. However, in an SMB, where there

is much at stake, more is required. It is not enough

to know that a perimeter breach has been detected

and your systems are racing to limit the damage.

The SMB must establish the trusted LAN to know

who or what is already inside and instantly block any

unknown or untrusted assets to protect themselves.”

Another potential solution is to outsource cyber

security responsibilities. “Outsourcing security to

professionals makes many SMEs more productive,”

Mr Monrad contends. “Many SMBs aspire to be

larger enterprises but without strong security they

can easily fall victim to cyber criminals that target

organisations with less mature defences. “

As organisations around the world continue to

reel (whether directly or indirectly) from a series of

cyber attacks, there are security issues aplenty that

need to be addressed, regardless of the size of the

entity concerned. That said, for the SMB community

in particular, the challenges are obvious, even if the

ultimate solution to their cyber security conundrum

is much less clear. RC&


feature size matters: cyber security for smbs › wp-content › uploads › ...feature size...

Documents