Do too many small and medium-size enterprises (SMEs) believe that security is something only big firms need to worry about? In this interview, Colin Tankard, managing director of Digital Pathways, explains that, indeed, many firms believe themselves to be too small and uninteresting to attract the attention of hackers.
This is in spite of endless headlines about breaches and warning from industry and government bodies about the business impact of an attack, such as fines, mitigation costs and the inability to operate while systems are fixed.
When SMEs do express concern, it’s usually around regulatory and legal repercussions, not least as a result of the emergence of the EU’s new General Data Protection Regulation (GDPR), with which UK firms will have to comply even if the country leaves the EU. They seem less concerned at the prospect of theft of intellectual property (IP), reputational damage and many of the other direct and indirect consequences of a successful attack.
Much of this arises from the misconception that SMEs have nothing of value as far as an attacker is concerned. But, as Tankard points out, this is wrong on many counts. Even, one of the most valuable assets an SME might possess is its customer base: in today’s world of connected networks, a poorly guarded SME is often a stepping stone for an attacker looking for an entry point into the systems of larger companies. Often, hackers will hop from one small company to another, following the path of linked networks until they find an opening into a major organisation, effectively hiding where the attack is originating.
In addition to these targeted attacks, SMEs must also deal – like everyone else – with threats such as mass spam and phishing campaigns.
Often the attackers are happy to get into any organisation – they don’t care how big you are or what assets you have because they’re looking, for example, just to set up a proxy to exploit as a command and control server or as a relay point to hide their whereabouts.
When it comes to insider threats, smaller firms tend not to have the internal controls typically found in bigger organisations. Trust in employees is more common. And the insider threat doesn’t have to be about malicious activity – there’s a lot of damage that can be inflicted through accidents or a lack of security awareness. And that isn’t helped by SMEs skimping on security training – if they do it at all.
Even when SMEs understand that they need to do something about security, that ‘something’ often consists of installing free products that inadequate and aren’t fully understood or properly configured.
There is often an incorrect perception about the cost of doing information security properly and an underestimate of the costs of a breach.
Building up skills internally is going to be difficult. But Tankard says that there are tools SMEs can use to create a good baseline of security on which companies can build.
With firms, including SMEs, coming under an ever-greater compliance burden, organisations should perhaps be looking at combining their security and compliance activities into one combined effort, to get the greatest economies from security and also reap all the potential business benefits. For example, if you’re tendering to larger organisations, they want to see that you are complying with security standards.
There is help at hand, too. Tankard believes that the UK Government’s Cyber Essentials scheme is a great starting point.