Risk Management & Reporting

March 19, 2019

It is widely acknowledged that all businesses can be victims of cyber crime, suffer data loss, get hit by ransomware or fall victim to some other form of cyber attack – the “when, not if” maxim in cyber security circles. However, for SMEs, facing up to this fact is difficult.

A lack of knowledge, the challenge of justifying investments when cashflow/sales/profit margins are tight, and the view that “it won’t happen to us” or “we’ll just deal with it at the time” all add to the risk factors for SMEs who can find themselves under-defended and under-prepared.

Cyber crime: It will happen to you

For SMEs who are often time-poor, under-resourced and lacking in technical cyber security skills the most obvious way to start thinking about defence is to see how other cyber attacks or security breaches have occurred and try to identify the “low hanging fruit” that led to those situations happening or being worse than they should have been.

This was the very approach used by the UK’s National Cyber Security Centre (NCSC) in its “10 Steps to Cyber Security” (read more here).  When the Australian Cyber Security Centre (ACSC) looked at the breaches it had been involved in, it derived a set of technical mitigations in its “Essential 8” guidelines (read more here).  This ethos is also the driving aim of the Cyber Essentials certification scheme in the UK that has so far had limited adoption outside of government and defence supply chains.

Of course, a medium business with a few dozen users has a different scale of problem to a micro business with just one or two.  So, if “you” are your only user and “your network” is your home broadband connection, the advice below still holds, but it is just yourself you have to worry about.

SMEs must look at the areas where cyber crimes, data thefts, malware attacks or online attacks happen, and start there.  Staying ahead of the cyber criminals, hackers or virus writers means considering cyber security in each of these domains:

1.   Where the User is

The point at which users interact with IT systems is prone to vulnerability.  Some of these can be addressed through training (although more on this later) and some on the technical controls applied to the users’ systems.

Users can be a risk - so awareness is important

Users can be a risk – so awareness is important

Educate everyone on choosing good passwords for systems.  Enforcing capitals/numbers/punctuation won’t prevent “Password1!” being used so get hold of, and pass on, advice on choosing a good password (like using the initial letters of a phrase).

Better awareness also helps prevent you, or your users clicking on suspicious attachments, files, web links etc.  However, smart attackers make these look authentic, so it is harder to identify suspicious emails or risky links with malware or password grabbing scams.

Downloaded software applications can also introduce risk, and while there may be ways to control this on workstations/laptops in an office; informing users to be cautious and/or ask someone with greater expertise when they are about to install something is a good idea.

Specifically, companies need to be aware of “shadow IT” – users choosing third-party applications or cloud-based services without the involvement of anyone with an IT or contracts background.  This could simply be a file storage service to transfer large files or a contact management application.  In many cases these are OK – they can solve real business challenges – but it is important to recognise you are sharing your company’s data with a third-party who might not protect it as well as you’d like.

Finally, make sure that devices you issue users with – PCs, laptops or phones – are secured.  Switch on encryption, enforce a password, set software updates and patches to download/install automatically, and invest in a good antivirus (AV) solution.  Also, to combat ransomware, consider either an Internet-based backup solution or buy portable hard drives that you can back up data to regularly.  If ransomware does strike you really want a good, recent, recoverable backup you can revert to.

2.   Where the data is

For business owners, employers or users, protecting valuable information from cyber crime means first considering where it is.  Many micro and small businesses will have data stored on a local system rather than some grand enterprise network file store.

Data can be at risk wherever it is stored

Data can be at risk wherever it is stored

However, increasingly businesses of all sizes are storing data in cloud or Internet-based stores – whether these are as files (e.g. Dropbox, Live, Sync, Google Docs, AWS) or within applications (e.g. Office 365, Sharepoint, Saleforce, Sage).

Whether data is on a user laptop, or a physical file server/network drive, or within a cloud service there are simple things that you can do to protect it.

Work out what access various users need.  If you have external companies you communicate with – maybe for telesales or printing – then give them access to only the files and folders they need.  Or if it is access to an application, see if you can limit what data sets they have access to.

This extends to internal users, particularly for companies with several tens of employees where not everyone needs access to sales and customer data or access to engineering designs.

When people leave the company, make sure they don’t still have access to data stores, applications or data in files like spreadsheets – and consider that this might be from a phone or home computer in some cases.

As with the laptops or devices people carry with them, make sure they are choosing good passwords to log into remote business applications – whether it is files in a file store, a set of customer data in Saleforce or (most commonly) your company email system in Office365 choose good passwords yourself and make sure everyone you work with or employ does too.  If possible, adopt two-factor authentication so they have to be using a device that you know about and can’t have their access compromised if they happen to lose, write down, share or disclose a password.

Finally, you need to assume the worst.  If you do have a data breach or get hit by malware, how will you establish what happened?  Can you get data back if it is corrupted by a software fault or on purpose, encrypted by a disgruntled user or ransomware, or deleted by someone who is leaving on bad terms.

In all these cases, having some record of who was accessing data or applications is vital.  Knowing who was in a system when it went wrong or data was lost might help diagnose not only who did something but actually what happened and how to deal with it.

Backups – either offline extracts of application data (like customer contact details) OR back-up copies of important files – are also a godsend.  Many cloud file storage solutions synchronise changes to data; so, if a file is corrupted on one system that modification can be synched to the cloud and then copied out to all the other user’s computers quite quickly.

Having a separate backup copy of important files and data that is continually and regularly updated means less time spent worrying about data loss or corruption, and more time getting on with running the business.

3.   Where the customers are

If you trade or accept orders and bookings on a web site (or mobile app even) then this point of interaction is also a point of risk of security attack or cyber crime.  The data the site holds could be customer details, usernames and passwords, maybe even financial or payment details and other data that could be sensitive like dates of birth (for proof of age) or medical details.

Customers have high expectations for the protection of their data

Customers have high expectations for the protection of their data

Designing, building and running a secure web site is not trivial.  Especially when you consider that the person trying to get access to that data as an attacker could have much higher levels of technical skill, much more patience and much more time on their hands than the business owner or fledgling IT department. Additionally, many security features can feel like barriers to customers – so where do you draw the balance?

The best approach is to either have someone with some security expertise create the site – in particular the sections where you have user registration, login and accept payments – and don’t collect information you don’t need to minimise its value (and also its sensitivity).  Preferably use a reputable web site management system that actually provides the features you need around users and payments etc. without you having to build them from scratch.

If you do have self-built or custom elements, having the site penetration tested – a process whereby a skilled expert will try and find the sorts of weaknesses an attacker would – it is indispensable and will surface any major issues.  Ideally you would have this done when the site is launched, when its changed and annually at least.

If you let people/customers down in this regard it can be hard to persuade people to share personal details with you a second time.  The lost custom and potential fines resulting from a breach will more than outweigh the costs of properly protecting this vital shop window or customer touch-point.

4.   Where decisions are made

People in businesses make decisions about security all the time, whether it’s a manager deciding whether to spend money on a penetration test or a piece of technology, an IT person deciding how to configure something or a user decision on a password or a way to achieve some end goal.

Security decision making - risk management in practice

Security decision making – risk management in practice

At these points of decision making – when security can either be prioritised or ignored – it is important that people know what is expected of them, or what cyber crime risks they might be introducing.  Hence, training and awareness is vital – and at all levels.  If you are a business owner or work in IT for a small company and are reading this blog – then you’ve already made a start!

“Telling people about security” is a part of this – however it is done (external training, online CBT or pamphlet distribution).  But it has to be a continual process of reinforcement.  The culture you are trying to build is one of awareness and pragmatic caution.  Getting people to stop and think before they choose a weak password, make a change to a web site or upload a sensitive customer file to an external system.  In short, getting everyone to be a responsible custodian of customer and company information.

The goal is to get people to “think secure” almost unconsciously, to make it socially unacceptable to take unnecessary risks or behave in a way that is unsafe or negligent.

This means allowing people to “have each other’s backs” a bit and look out for the company and one another.  Similar to the way friends of someone who has been drinking might take their car keys and call them a taxi, or the way you might lock your front door when going out, or put a seat belt on your child for a car journey.

5.   Where the breach or cyber crime occurs

The sad fact is, that even if you do all of the above, you are unlikely to ever be 100% successful in protecting your business.

Dealing with a breach can be like fighting a forest fire

Dealing with a breach can be like fighting a forest fire

It has been widely accepted now for some time that it is a matter of ‘when, not if’ a company suffers a breach or loses data as a result of cyber crime or otherwise.  Whether because a trained and conscientious employee succumbs to a seemingly legitimate email attack, or an IT guy simply isn’t as quick to locate, understand and fix a vulnerability, as an attacker is to find and exploit it.

“When” a breach does occur being able to detect it, understand it and respond quickly is key – to both minimise the impact but also to avoid looking careless and negligent. Realistically, for a small business this is going to mean finding a Managed Security Service Provider (MSSP). There are a number of operational security tasks that need to be undertaken to mitigate and manage breaches.

The role of Managed Security Services

An MSSP will be able to offer or define a service level that meets your needs and risk profile at a price point you can afford, and then also help you on a retainer or support basis if the worst happens.

Without an MSSP involved you probably won’t:

  • Collect and retain sufficient logs and activity information for diagnostic and investigative purposes;
  • Monitor your IT environment with sufficient diligence and acuity on a 24/7 basis to detect an attack early in its trajectory;
  • Have sufficient expertise to understand, diagnose, respond, avert or recover from an attack; or
  • Have enough resources to do all this while still running and growing your business.

In each case it “might” be possible, but it is “unlikely”.  Working with a third party who has the necessary technology and expertise to undertake this data collection, monitoring, triage and diagnostic/investigative role is much more like to pay dividends.

Cyber Crime prevention/survival for SME’s

The summary of all these points is very simple. Cyber security for SMEs is a combination of:

  • Doing as much as you can to protect your business;
  • Knowing where your limits are and what you can’t adequately cover;
  • Finding a third-party cyber security company to help with those residual elements.

Essential 8 Scorecard Overview


Related Cybersecurity Content


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.