10/09/2012

By Kevin Dowd, CEO, CNS

As a founder and active consultant in an Information Security consultancy dedicated on advising companies on how to build their defences, I’m all too aware that there are a large number of executives out there who really believe they are too small to hack, but that assumption could be devastating to their businesses.

Small and medium sized enterprises need to understand that they are just as vulnerable to cyber-attacks as large corporates. The recent global phishing activity report from the Anti-Phishing Working Group highlighted the fact that hackers are looking to exploit relationships between consumer and business at all levels. The 2011 SMB security awareness research from Symantec went a step further and showed the serious risk SMBs are putting themselves under. According to Symantec almost 65% of SMBs do not have a security system in place for their online banking, 40% do not have security software on computers being used in the organisation and almost half do not have any form of security on their mail servers!

This is sheer madness. You wouldn’t jump out of a plane without a parachute, so why put your company IT in free-fall. SMBs have to realise that they are a very easy target for hackers and security is one of the most important infrastructures they need to put in place.

Should we be surprised then that many businesses are only looking at a cyber security strategy as a result of outside pressure, or after a breach has actually occurred? From the statistics above, probably not? Large enterprises do more to lock down their infrastructure, so less secure small businesses are the obvious target as low hanging fruit for cybercriminals.

The average cost of a cyber attack for a small business is estimated to be around £15,000 to £30,000, according to a report by Infosecurity Europe, PwC & The department for Business, Innovation and Skills. Could your company seriously afford to lose this kind of money – and the tarnish it would inevitably leave to your reputation in its wake?

So why are SMBs not taking control of their information security risk? Well, many are but it isn’t high enough up their priority list or they aren’t acting fast enough. This appears to be down to one or more of the following reasons:

1. Lack of executive commitment - the Executive team is not aware or not interested. From experience, without strong executive backing, information security projects invariably fail.

2. Perceived cost - information security is expensive, so let's not start.

3. It won't happen here syndrome - we are too small, or not a big enough brand, or otherwise invisible to the various parties instigating cyber-attacks. In fact, there is evidence to show that attackers will target smaller firms as they present an easy target. And the reasons for doing so may be as simple as using their resources to launch further attacks.

4. It's an IT problem - companies see Information Security as and IT issue, and therefore the diagnosis and responses are technology focused. Information security is not an IT problem, it is a business problem.

Putting a security strategy in place should neither be complex or scarey. The following steps will put you on the right track:

1. Instigate effective Information Security Governance - without an effective governance structure, little else can be achieved. It need not be large, costly or unnecessarily bureaucratic, but certain roles should be included. There should be a Chief Information Security Officer, either full or part time, who is tasked with working with the executive to ensure effective Information Security Management in the organisation. There should also be a nominated Executive with responsibility for Information security, sometimes referred to as the Senior Information Risk Owner. There should also be some consideration of operational roles, and integration of Infosec with change management.

2. Classify Data - start with the really critical stuff, and iterate. Ensure that everyone is clear on what your critical data actually is, and where it resides. In stage 4, below, you will define what people are actually allowed to do with it.

3. Risk Assessment. Start with the most critical areas of the business and iterate. Ideally, it should be done to some recognised methodology, but anything that allows a shared view of risk will work.

4. Create a Risk Treatment Plan that involves enacting controls to manage the identified risks. Note that this stage - applying controls - is where most people start, when actually it should only be done with an understanding of the risks as identified by the business. Controls will be people, process and technology based, not solely technology focused.

Finally it is worth remembering that in assessing your own SMBs security risks, you aren’t looking at your own data, but also that of your customers. Any company carrying out business-to-business activity with larger enterprises needs to consider their requirements as the blueprint for their own security plans!

The stakes are high, don’t remain complacent. The increasing adoption of mobile and social media platforms is going to open the floodgates for cybercriminals – not close them!