Small to medium sized enterprises (SMEs) are the backbone of the British economy. They make up 99.9% of all private sector businesses and in 2015 the combined turnover of SMEs in the UK was £1.8 trillion. Many of the most innovative companies are SMEs, businesses full of ideas for new or improved services and products
But despite their successes many SMEs are still falling down when it comes to cyber security, in part because many are focused on creating value around their core competency, not cyber security. According to a study by Towergate Insurance, 97% of SMEs have neglected to prioritise online security improvement for future business growth. However, with new EU general data protection regulations coming into force soon it’s an area SMEs can’t afford to be neglectful of any longer.
The cyber security challenge
It’s generally accepted that most businesses, regardless of size, will have a firewall and an anti-virus program in place. However, even with this, SMEs are consistently some of the most vulnerable to cyber attackers. If their intellectual property is stolen or if they are discovered to have been a launching pad for attacks against a larger business partner, it can mean going out of business.
In terms of setting up and enhancing their cyber security, SMEs face several interesting challenges:
- Many don’t have staff dedicated to cyber security
- Cyber insurance is often prohibitively costly
- The cyber security of SMEs is a growing concern in the supply chain
Monitoring the risks
Addressing these challenges isn’t easy. Many SMEs are aware of the need to collect log data for later analysis by a consultant for legal compliance purposes but most don’t have security information and event management (SIEM) systems or threat intelligence data. Additionally when it comes to staffing and insurance it’s always going to come down to cost, something which is worth the budget but can’t always happen overnight. To begin tackling the bigger cyber security problems SMEs should start by seeking out cost effective systems which enable them to protect their business – and by extension – their business relationships.
Unfortunately for SMEs many cyber security companies initially target their offerings to the Fortune 500 and look to move down market to SMEs much later in their product life-cycle -- sometimes not at all. However, there are a numbers of ways that SMEs can focus on obtaining security products and services, that automate breach detection and discovery, whilst also gives them the value of security analysis and infrastructure without the huge upfront and ongoing costs, such as threat intelligence reporting. Many SMEs understand the value of collecting logs for network and application troubleshooting and for regulatory compliance. These tools allow SMEs to correlate this data they already have against a database of threat indicators on a weekly basis and some of these even operate on a “freemium” model.
Moreover, the fact that small businesses employ these security controls can only serve as a comfort to other larger businesses they work with in the supply chain. The service would also feature the ability to share a small business’s security posture as a proof point for other larger businesses in the supply chain. These kinds of services are gaps in the market that, once filled, should allow any company to use security as a differentiator when competing to supply services or goods as part of a larger supply chain, enabling them to go back to doing what they do
By Mark Seward, VP Security Solutions, Anomali