CCTV (2)

Small to medium sized enterprises (SMEs) are the backbone of the British economy. They make up 99.9% of all private sector businesses and in 2015 the combined turnover of SMEs in the UK was £1.8 trillion. Many of the most innovative companies are SMEs, businesses full of ideas for new or improved services and products

But despite their successes many SMEs are still falling down when it comes to cyber security, in part because many are focused on creating value around their core competency, not cyber security. According to a study by Towergate Insurance, 97% of SMEs have neglected to prioritise online security improvement for future business growth. However, with new EU general data protection regulations coming into force soon it’s an area SMEs can’t afford to be neglectful of any longer.

The cyber security challenge

It’s generally accepted that most businesses, regardless of size, will have a firewall and an anti-virus program in place. However, even with this, SMEs are consistently some of the most vulnerable to cyber attackers. If their intellectual property is stolen or if they are discovered to have been a launching pad for attacks against a larger business partner, it can mean going out of business.

In terms of setting up and enhancing their cyber security, SMEs face several interesting challenges:

  • Many don’t have staff dedicated to cyber security
Typically, the first key IT hires SMEs will make are ones that will help “keep the lights on,” deal with password lock-outs and provision and configure network services and company laptops, rather than security specialists. The security staffing challenge isn’t one which just SMEs face, it will remain a problem for all organisations for the foreseeable future. According to Michael Brown, CEO at Symantec, “the demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million.” Wages for top-notch cyber security analysts are increasing at a rate of over 7% each year. Supporting this kind of wage growth is difficult for SMBs, and companies that are able to afford this are able to poach the best talent. Hiring junior, or less experienced employees and keeping them once they are trained is a big challenge.
  • Cyber insurance is often prohibitively costly
Many small businesses are simply not aware of the availability of cyber insurance (67% are not). In the UK the limit for data breach impact is only around 3 times that of the cover, for an SME with a small policy this might only cover the cost of system restoration – not the loss of intellectual property or the loss of customer records.
  • The cyber security of SMEs is a growing concern in the supply chain
Security is challenging enough to stay on top of when you have to worry about just your organisation and your technology. A near-impossible factor to track from a security perspective for SMEs is the third-party “wildcard.” Supply chain security, the vulnerabilities and the connections between businesses represent risks that major companies are focused on. It’s also a growing problem, last year there were reports of several big US companies suffering major breaches due to security compromises in smaller businesses they had relationships with.

Monitoring the risks

Addressing these challenges isn’t easy. Many SMEs are aware of the need to collect log data for later analysis by a consultant for legal compliance purposes but most don’t have security information and event management (SIEM) systems or threat intelligence data. Additionally when it comes to staffing and insurance it’s always going to come down to cost, something which is worth the budget but can’t always happen overnight. To begin tackling the bigger cyber security problems SMEs should start by seeking out cost effective systems which enable them to protect their business – and by extension – their business relationships.

Unfortunately for SMEs many cyber security companies initially target their offerings to the Fortune 500 and look to move down market to SMEs much later in their product life-cycle -- sometimes not at all. However, there are a numbers of ways that SMEs can focus on obtaining security products and services, that automate breach detection and discovery, whilst also gives them the value of security analysis and infrastructure without the huge upfront and ongoing costs, such as threat intelligence reporting. Many SMEs understand the value of collecting logs for network and application troubleshooting and for regulatory compliance. These tools allow SMEs to correlate this data they already have against a database of threat indicators on a weekly basis and some of these even operate on a “freemium” model.

Moreover, the fact that small businesses employ these security controls can only serve as a comfort to other larger businesses they work with in the supply chain. The service would also feature the ability to share a small business’s security posture as a proof point for other larger businesses in the supply chain. These kinds of services are gaps in the market that, once filled, should allow any company to use security as a differentiator when competing to supply services or goods as part of a larger supply chain, enabling them to go back to doing what they do

By Mark Seward, VP Security Solutions, Anomali