Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
It is widely acknowledged that all businesses can be victims of cyber crime, suffer data loss, get hit by ransomware or fall victim to some other form of cyber attack – the “when, not if” maxim in cyber security circles. However, for SMEs, facing up to this fact is difficult.
A lack of knowledge, the challenge of justifying investments when cashflow/sales/profit margins are tight, and the view that “it won’t happen to us” or “we’ll just deal with it at the time” all add to the risk factors for SMEs who can find themselves under-defended and under-prepared.
For SMEs who are often time-poor, under-resourced and lacking in technical cyber security skills the most obvious way to start thinking about defence is to see how other cyber attacks or security breaches have occurred and try to identify the “low hanging fruit” that led to those situations happening or being worse than they should have been.
This was the very approach used by the UK’s National Cyber Security Centre (NCSC) in its “10 Steps to Cyber Security” (read more here). When the Australian Cyber Security Centre (ACSC) looked at the breaches it had been involved in, it derived a set of technical mitigations in its “Essential 8” guidelines (read more here). This ethos is also the driving aim of the Cyber Essentials certification scheme in the UK that has so far had limited adoption outside of government and defence supply chains.
Of course, a medium business with a few dozen users has a different scale of problem to a micro business with just one or two. So, if “you” are your only user and “your network” is your home broadband connection, the advice below still holds, but it is just yourself you have to worry about.
SMEs must look at the areas where cyber crimes, data thefts, malware attacks or online attacks happen, and start there. Staying ahead of the cyber criminals, hackers or virus writers means considering cyber security in each of these domains:
The point at which users interact with IT systems is prone to vulnerability. Some of these can be addressed through training (although more on this later) and some on the technical controls applied to the users’ systems.
Educate everyone on choosing good passwords for systems. Enforcing capitals/numbers/punctuation won’t prevent “Password1!” being used so get hold of, and pass on, advice on choosing a good password (like using the initial letters of a phrase).
Better awareness also helps prevent you, or your users clicking on suspicious attachments, files, web links etc. However, smart attackers make these look authentic, so it is harder to identify suspicious emails or risky links with malware or password grabbing scams.
Downloaded software applications can also introduce risk, and while there may be ways to control this on workstations/laptops in an office; informing users to be cautious and/or ask someone with greater expertise when they are about to install something is a good idea.
Specifically, companies need to be aware of “shadow IT” – users choosing third-party applications or cloud-based services without the involvement of anyone with an IT or contracts background. This could simply be a file storage service to transfer large files or a contact management application. In many cases these are OK – they can solve real business challenges – but it is important to recognise you are sharing your company’s data with a third-party who might not protect it as well as you’d like.
Finally, make sure that devices you issue users with – PCs, laptops or phones – are secured. Switch on encryption, enforce a password, set software updates and patches to download/install automatically, and invest in a good antivirus (AV) solution. Also, to combat ransomware, consider either an Internet-based backup solution or buy portable hard drives that you can back up data to regularly. If ransomware does strike you really want a good, recent, recoverable backup you can revert to.
For business owners, employers or users, protecting valuable information from cyber crime means first considering where it is. Many micro and small businesses will have data stored on a local system rather than some grand enterprise network file store.
However, increasingly businesses of all sizes are storing data in cloud or Internet-based stores – whether these are as files (e.g. Dropbox, Live, Sync, Google Docs, AWS) or within applications (e.g. Office 365, Sharepoint, Saleforce, Sage).
Whether data is on a user laptop, or a physical file server/network drive, or within a cloud service there are simple things that you can do to protect it.
Work out what access various users need. If you have external companies you communicate with – maybe for telesales or printing – then give them access to only the files and folders they need. Or if it is access to an application, see if you can limit what data sets they have access to.
This extends to internal users, particularly for companies with several tens of employees where not everyone needs access to sales and customer data or access to engineering designs.
When people leave the company, make sure they don’t still have access to data stores, applications or data in files like spreadsheets – and consider that this might be from a phone or home computer in some cases.
As with the laptops or devices people carry with them, make sure they are choosing good passwords to log into remote business applications – whether it is files in a file store, a set of customer data in Saleforce or (most commonly) your company email system in Office365 choose good passwords yourself and make sure everyone you work with or employ does too. If possible, adopt two-factor authentication so they have to be using a device that you know about and can’t have their access compromised if they happen to lose, write down, share or disclose a password.
Finally, you need to assume the worst. If you do have a data breach or get hit by malware, how will you establish what happened? Can you get data back if it is corrupted by a software fault or on purpose, encrypted by a disgruntled user or ransomware, or deleted by someone who is leaving on bad terms.
In all these cases, having some record of who was accessing data or applications is vital. Knowing who was in a system when it went wrong or data was lost might help diagnose not only who did something but actually what happened and how to deal with it.
Backups – either offline extracts of application data (like customer contact details) OR back-up copies of important files – are also a godsend. Many cloud file storage solutions synchronise changes to data; so, if a file is corrupted on one system that modification can be synched to the cloud and then copied out to all the other user’s computers quite quickly.
Having a separate backup copy of important files and data that is continually and regularly updated means less time spent worrying about data loss or corruption, and more time getting on with running the business.
If you trade or accept orders and bookings on a web site (or mobile app even) then this point of interaction is also a point of risk of security attack or cyber crime. The data the site holds could be customer details, usernames and passwords, maybe even financial or payment details and other data that could be sensitive like dates of birth (for proof of age) or medical details.
Designing, building and running a secure web site is not trivial. Especially when you consider that the person trying to get access to that data as an attacker could have much higher levels of technical skill, much more patience and much more time on their hands than the business owner or fledgling IT department. Additionally, many security features can feel like barriers to customers – so where do you draw the balance?
The best approach is to either have someone with some security expertise create the site – in particular the sections where you have user registration, login and accept payments – and don’t collect information you don’t need to minimise its value (and also its sensitivity). Preferably use a reputable web site management system that actually provides the features you need around users and payments etc. without you having to build them from scratch.
If you do have self-built or custom elements, having the site penetration tested – a process whereby a skilled expert will try and find the sorts of weaknesses an attacker would – it is indispensable and will surface any major issues. Ideally you would have this done when the site is launched, when its changed and annually at least.
If you let people/customers down in this regard it can be hard to persuade people to share personal details with you a second time. The lost custom and potential fines resulting from a breach will more than outweigh the costs of properly protecting this vital shop window or customer touch-point.
People in businesses make decisions about security all the time, whether it’s a manager deciding whether to spend money on a penetration test or a piece of technology, an IT person deciding how to configure something or a user decision on a password or a way to achieve some end goal.
At these points of decision making – when security can either be prioritised or ignored – it is important that people know what is expected of them, or what cyber crime risks they might be introducing. Hence, training and awareness is vital – and at all levels. If you are a business owner or work in IT for a small company and are reading this blog – then you’ve already made a start!
“Telling people about security” is a part of this – however it is done (external training, online CBT or pamphlet distribution). But it has to be a continual process of reinforcement. The culture you are trying to build is one of awareness and pragmatic caution. Getting people to stop and think before they choose a weak password, make a change to a web site or upload a sensitive customer file to an external system. In short, getting everyone to be a responsible custodian of customer and company information.
The goal is to get people to “think secure” almost unconsciously, to make it socially unacceptable to take unnecessary risks or behave in a way that is unsafe or negligent.
This means allowing people to “have each other’s backs” a bit and look out for the company and one another. Similar to the way friends of someone who has been drinking might take their car keys and call them a taxi, or the way you might lock your front door when going out, or put a seat belt on your child for a car journey.
The sad fact is, that even if you do all of the above, you are unlikely to ever be 100% successful in protecting your business.
It has been widely accepted now for some time that it is a matter of ‘when, not if’ a company suffers a breach or loses data as a result of cyber crime or otherwise. Whether because a trained and conscientious employee succumbs to a seemingly legitimate email attack, or an IT guy simply isn’t as quick to locate, understand and fix a vulnerability, as an attacker is to find and exploit it.
“When” a breach does occur being able to detect it, understand it and respond quickly is key – to both minimise the impact but also to avoid looking careless and negligent. Realistically, for a small business this is going to mean finding a Managed Security Service Provider (MSSP). There are a number of operational security tasks that need to be undertaken to mitigate and manage breaches.
An MSSP will be able to offer or define a service level that meets your needs and risk profile at a price point you can afford, and then also help you on a retainer or support basis if the worst happens.
Without an MSSP involved you probably won’t:
In each case it “might” be possible, but it is “unlikely”. Working with a third party who has the necessary technology and expertise to undertake this data collection, monitoring, triage and diagnostic/investigative role is much more like to pay dividends.
The summary of all these points is very simple. Cyber security for SMEs is a combination of:
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.