small budget, big security threats
TRANSCRIPT
Drive Your Business
Small Budget, Big Security ThreatsHow to Secure IT in Your Small to Medium Sized Enterprise
2 ©2015 WGroup. ThinkWGroup.com
Small-to-medium-sized enterprises (SMEs) may not have the same budgets as larger
businesses, but they face many of the same IT security threats. With every organization
increasingly relying on IT to provide a growing range of services and applications, it is more
important than ever for security to be at the top of your priority list. But how can smaller
businesses achieve IT security without the same resources as their larger counterparts?
Introduction
Getting the most out of a modest budget
Many organizations struggle to maintain a high level of security while keeping costs to
a minimum. In order to meet these challenges and ensure that their sensitive data and
mission critical applications are safe, it is important to focus on the areas that will have the
greatest impact. Most SMEs don’t have the resources to spend money to protect against
every possible risk. Still, with the proper knowledge, most businesses can achieve a high
level of security that provides more than enough protection against likely threats.
This guide will help your small to medium sized business identify key areas to focus
its security efforts and ways to maximize the impact of a small budget.
3 ©2015 WGroup. ThinkWGroup.com
SMEs face serious security threats
Last year, 70% of all businesses in the United
States suffered a cyber-attack and over one
billion sensitive records were leaked.1 Clearly
businesses are a major target for cyber
criminals and their tactics are growing more
aggressive and effective with each passing
year. SMEs can no longer afford to ignore
these risks, as the scope of attack is so wide
that even relatively modest targets may be
subject to sophisticate attacks. However, as
many as 82% of business owners responding
to a recent survey said that they did not
believe they would be targets of an attack,
with many citing that they did not believe
they had anything worth stealing.2 Clearly
there is a massive disparity between reality
and perception for many SMEs. All small to
medium sized businesses need to be aware of
these risks and take steps to prepare for them.
The incorporation of sales language into the
contract usually troubles outsourcing service
When it comes to cyber-attacks, there is a massive disparity between perception and reality for many SMEs.
No business can afford to ignore the threat of an IT security breach. As rates of cyber-
attack climb to record highs and dependence on IT applications rises, the threats
and costs associated with those threats grow exponentially. Yet many organizations
fail to implement effective strategies or simply ignore IT security altogether.
Cyber-attacks affect all organizations
providers, since the RFP often describes a
scope of service
that’s different from
the final scope
that’s priced in the
contract. The RFP
also contains much
more information
than is useful
for the contract.
It’s therefore important to use the
RFP as just a guideline for writing the
contract’s requirements section.
4 ©2015 WGroup. ThinkWGroup.com
Breaches are costlyOne key fact to keep in mind when budgeting for security measures is just how expensive the alternative
can be. Malware attacks alone cost businesses over $114 billion in 2014.1 In order to maintain their
organization’s viability and build the most effective investment versus risk strategy, CIOs must develop
strong security protocols and systems. Some of the costs associated with breaches include:
DowntimeMany businesses rely on IT services
to run their website, generate revenue,
communicate, run mission critical
applications, and connect with customers.
This makes even short periods of
downtime incredibly expensive, particularly
for businesses in certain sectors. One
2014 study estimated that the average
cost of a single minute of downtime is
$5,600, with the hourly cost translating
to approximately $300 thousand.3
Stolen IPIntellectual property (IP) can be among an
organization’s most valuable assets. Yet
many companies do not take the same
precautions in securing their IP as they would
their more tangible resources. Although
valuing IP and estimating the total cost of
its theft is difficult, some estimates place
the total at $575 billion and as much as
.9% of GDP for high-income countries.4
Reputation87% of CIOs say risk to reputation is their
chief concern in a cyber-attack.5 This
concern is not unfounded. Consumers are
significantly less likely to trust a company
ComplianceMany organizations store sensitive
information that is subject to regulation by
the government. Breaches can expose
inadequacies in an organization’s security
procedures and lead to fines for violation
of rules such as HIPAA. These fines
can often be more costly than the direct
effects of the breach itself. These fines can
even be levied against organizations not
found to have done anything wrong. If an
organization was fully compliant with all
PCI regulations, for example, they may still
be subject to a fine of $50 to $90 for the
loss of each cardholder’s data and face
civil litigation from the affected customers.
In the event of a major breach, these costs
can quickly reach astronomical sums.7
immediately following loss of sensitive
information. Incidents like the recent
Target breach, in which more than 100
million customers’ credit card details were
stolen, highlight the implications of this
effect. Although the breach cost Target
only $148 million in direct costs, one
study estimates that total costs, including
damage to brand, will be over $1 billion.6
5 ©2015 WGroup. ThinkWGroup.com
Top 6 steps SMEs can take to improve securityGiven the considerable threat that cybercrime presents to SMEs, the question still remains of how to
adequately secure IT with a relatively small budget. Fortunately, even the smallest businesses can
take major steps to improve their security with modest outlays. The key is in building an effective
strategy based on data, informed guidance, and a deep understanding of your business’s needs.
The most important part of creating a more effective IT security plan is
understanding how a breach will affect the business. Look for areas that have
the greatest possibility of causing serious financial or reputational damage, and
focus on those first. Obviously sensitive, mission critical, or revenue generating
applications should be a high priority, with less important applications getting
less attention. This helps to ensure that resources are being allocated in
the most effective way possible. Some key questions to ask include:
1. Perform a business impact assessment
• What are the estimated costs associated with various breach scenarios?
• What systems, services, or applications can we not afford to lose, even for a short period?
• What type of breach is most likely to affect those systems?
• What steps can be taken to reduce the likelihood of this breach scenario?
• Will more costly actions be more effective than less costly actions? (Steps that are less costly
but provide the greatest security benefit should be taken first)
• Who are the most valuable personnel to protect against attacks and respond in the event of a
breach?
• How can third party support help prevent or respond to a breach?
6 ©2015 WGroup. ThinkWGroup.com
2. Educate employees
Most breaches are only possible because of human error. Educating employees about risk and
best practices is often the least costly and most effective way of making SME IT more secure.
One common attack that relies on under informed victims is the phishing scam. Over 156
million phishing emails are sent every day with 80,000 victims ultimately
sharing sensitive information with the attackers.8 Although most of these
attacks are blanket sweeps looking for credit card numbers or other
personal information, many are also designed to attack business targets
and gain access to high value information stored on their servers. It is
critical that all employees understand the risks of these types of attacks
and never share their passwords or other information with anyone.
Education about security is even more important among those that
actually work in information technology within the company. The
development community and IT department need to know best practices
and security policies. From the code powering your applications to the servers and networks
they run on, it is critical that all systems be built and managed with security in mind.
3. Use the cloud the right wayAnother consideration for many businesses is the use of cloud services. In many cases, public
cloud based applications, platforms, or infrastructure can be more secure than on-premises
solutions. It is very likely that major cloud providers have invested more resources in the best
security measure than the average SME. Outsourcing to these providers can offer significant
benefits to smaller businesses and greatly reduce the cost of attaining high security.
However, use of cloud services can also present new, unique challenges. Managing cloud vendors
and ensuring that they are properly securing your data can be difficult. Companies must understand
the standards and technologies being introduced by these third parties and how they must adapt
to these changes. These solutions are also still subject to compromise by phishing scams or
other password collection methods. Ultimately, the gateway to critical data is often guarded by
a public facing gateway and anyone with the right credentials can access it. Taking steps to
educate users about security and putting the proper protections in place are still critical steps.
7 ©2015 WGroup. ThinkWGroup.com
4. Assess securityRegular assessments are an extremely important part of developing a cost effective
security strategy, as they can indicate where resources are most needed. Investing
in blanket upgrades to systems, software, and procedures that already offer
adequate protection is not something that most SMEs can afford. Understanding
areas of weakness helps to provide a roadmap for effective spending.
Penetration testing
Perform penetration testing at least
once a year as a baseline security
health check. These tests should tell
organizations how their security measures
will perform under real world attacks,
providing invaluable information for IT.
Review procedures
It is important to regularly review an
organization’s security procedures and
ensure consistency across the organization.
As technologies and security threats evolve,
so too should a business’s practices.
Performing a regular qualitative assessment
can form a basis for systematic adaptation.
Raise awareness
One of the major benefits of assessment is its
impact on awareness within the organization.
Pen testing can give a much needed
motivational boost to investment in security
and help justify IT efforts to address issues.
Preventative actions
Ultimately, testing allows IT to address issues
before they are exploited by an attacker.
Pen testing can identify areas that may
have been missed to ensure that security
holes can be filled and bugs can be fixed.
Show risk mitigation efforts
If a breach does occur, a rigorous
assessment procedure can show that
every possible step was taken to prevent
it. This can help justify IT’s actions to
the organization as a whole and prove
that resources are not being wasted.
8 ©2015 WGroup. ThinkWGroup.com
No amount of investment or preparation can prevent the most determined
attacks. In order to minimize damage in the event of a breach, it is critical
that organizations have effective response strategies in place.
Optimally, organizations should be able to:
5. Streamline incident response
• Neutralize the threat
• Recover any lost data
• Ensure that critical applications and services can be kept online
• Ensure that employees can continue working with minimal interruption
• Inform media outlets and customers about the breach
• Rapidly fix or replace damaged software or hardware
Consider third party solutions. SMEs
working with limited funds must often make up
for a lack of extensive personnel with highly
specialized skills by implementing more cost
effective approaches to this challenge. Using
a third party IT security and incident response/
recovery solution is one way for smaller
organizations to ensure that they have the
resources necessary to properly deal with the
situation. These providers are well equipped
to stop incidents as soon as possible and
even identify the perpetrators with forensics.
This can greatly augment the IT department’s ability to effectively respond to these
incidents without making significant investments in hiring full-time personnel.
9 ©2015 WGroup. ThinkWGroup.com
Effective infosec is driven by effective governance that prioritizes risk management and recognizes
the threat posed by modern cybercrime. Leaders in the IT organization must implement strong
policies and drive adherence to ensure that their organization is as protected as possible.
6. Implement more effective governance strategies
Conduct regular risk assessments
As the organization changes, it is important
to adapt policies to address shifting
needs and risks. Performing regular risk
assessments can help determine the
current state of risk within the organization
and understand how
security systems and
procedures factor into
it. This helps IT leaders
develop better policies
to improve security
within the organization.
Develop consistent policies
Ensuring adherence to security policies
not just within the IT organization, but
across the entire company, can be
challenging. However, developing and
enforcing policies that help keep corporate
data and IT systems safe is an absolutely
critical component to IT security.
Assess third parties
Modern IT departments must deal with
a wide range of third party vendors. This
presents several unique security risks
and it is up to management to ensure that
these vendors offer adequate protections
that comply with internal and external
regulation. All new
third party providers
must be vetted
and SLAs must be
thoroughly understood
before entering into
any agreement.
Collect data on key metricsIn order to understand the threats
an organization faces and to see
how security policies are performing,
management must collect data on several
key metrics. This can provide the raw
facts necessary to understand how a
company is threatened, what applications
and services are most at risk, and
how effective current strategies are.
10 ©2015 WGroup. ThinkWGroup.com
SMEs face many unique challenges because they must deal with the same security threats as
larger organizations using fewer resources. However, by implementing the right strategies, any
company can minimize their risk without going over budget.r these volume changes can result
in extra charges when they reach the limits of the dead bands and renegotiation bands.
SMEs face growing security threats
As the organization changes, it is important to adapt policies to address shifting needs and
risks. Performing regular risk assessments can help determine the current state of risk
within the organization and understand how security systems and procedures factor into it.
This helps IT leaders develop better policies to improve security within the organization.
Explore alternative solutions
Cloud, third party providers, and other alternative solutions can offer many benefits to
SMEs. By taking advantage of the security measures of much larger organizations,
smaller businesses can reduce their own security budget. However, they must also
understand that using third parties can present its own risks and challenges.
Get the right information
The most important tool in the IT executive’s arsenal
is information. Asking the right questions within the
company, to third party vendors, to customers, and to
colleagues can provide extremely valuable insight into
where risk lies, what issues need to be addressed.
Take a proactive stanceAssessing and addressing issues before they result in a breach always makes
financial sense. Most SMEs cannot afford even small periods of downtime or losses
of critical data. By implementing best practices and policies now, organizations
can reduce these risks and create a more secure IT organization.
If you’d like to learn more about this and other issues facing the modern CIO, visit http://thinkwgroup.com/insights/
Key takeaways
11 ©2015 WGroup. ThinkWGroup.com
[1] Cost of Data Breach Study: Global Analysis IBM Ponemon, 2014
[2] http://www.bmmagazine.co.uk/news/smes-underestimate-the-risk-of-cyber-attacks/
[3] http://blogs.gartner.com/andrew-lerner/2014/07/16/the-cost-of-downtime/
[4] http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf
[5] http://www.iasplus.com/en-ca/publications/state-of-change/2015/a-state-of-
change-april-2015/at_download/file/188_2015_April_Final_AODA.pdf
[6] http://www.cio.com/article/2908864/security0/5-costly-consequences-of-smb-cybercrime.html
[7] http://www.focusonpci.com/site/index.php/pci-101/pci-noncompliant-consequences.html
[8] http://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/nfgrphcs-2012-10-11-en.aspx
References
Drive Your Business
Founded in 1995, WGroup is a boutique management consulting firm that provides Strategy,
Management and Execution Services to optimize business performance, minimize cost and create
value. Our consultants have years of experience both as industry executives and trusted advisors
to help clients think through complicated and pressing challenges to drive their business forward.
WGroup’s Sourcing Advisory Services include:
• Sourcing Strategy Development
• Shared Services Strategy and Transformation
• IT Outsourcing (ITO) Advisory
• Business Process Outsourcing (BPO) Advisory
• First Time Projects and Contract Renewals
• RFP Lifecycle Management
• Vendor Selection
• Contract Development and Negotiation
• Transition Planning and Management
• Contract Analysis
301 Lindenwood Drive, Suite 301 Malvern, PA 19355
610-854-2700
ThinkWGroup.com