The real threat to SMEs: cybercrime

Most nations and businesses now regard the cyber threat as a strategic risk. Cyber-crime is on the rise – more pervasive and persistent than ever.  The increasing number of massive breaches (over 4,100 confirmed breaches exposed more than 4.2 billion records in 2016, 55 per cent from businesses ) testifies that while the Internet is a great boon to society, it also carries major risks which can no longer be ignored. These risks are both systemic and highly localised: countries face a series of threats; businesses need continuously to adapt to keep up with current and evolving threats that can compromise their future.

One of the most vulnerable sectors in the economy is the small and medium business sector (SMEs). They are the most hacked sector (230,000 known attacks in 2016 ) and 2016 data suggests that the average cost of a breach to a small business ranging from approximately £35,000, to£180,000 .  While this might sound trivial, to a small business this could mean the difference between survival and insolvency.

Increased SME vulnerability arises from a number of reasons.  The most evident is cost. Large corporates are able to invest in and create bespoke IT security solutions.  SMEs typically do not have the capital or the headcount to devote assets to roles such as Information Security Officers or Risk Managers, which they often leave to service providers. SMEs are less aware than analogues in larger enterprises of the risks and the threats, and do not necessarily have the policies and procedures in place to protect their people and systems; nor can they afford to train their people to the level necessary to deal with sophisticated cyber risk.

Affecting relationships

This can affect their relationship with their larger customers. One example could be of a sole trader who produces an important widget for a defence manufacturer. This man is connected to his customer by e-mail and possibly through a web browser for an EDI portal.  But his browser is old, his IT runs on old un-patched software, his anti-virus is providing basic functionality, compared to his customer who is more likely to better software and better physical protection.  For the cyber adversary, this is the back door, swinging open in the wind. Adversaries will do their homework. They will know who the supplier is working for, and seek to gain access indirectly, understanding the supply chain and seeking out the weakest links, compromising them, acquiring data about the targets through social engineering and direct data acquisition.

As the recent hack on Panamanian Law firm, Mossack Fonseca, shows, once people have physical access, poorly protected IT systems give up their assets very easily.  Relatively few simple steps could have saved them, yet even these are not regularly taken. 

Very few businesses are now able to trade without some access the internet. SMEs, particularly - and perversely - in the rapidly growing digital economy need this protection most if their IP is not to be stolen, and their futures destroyed. Nor should their scale disadvantage them in the cyber security market  as a buyer of products.

In our view, the cyber security industry is letting the SME customer down.  It’s a complex process for SMEs who often need to deal with several companies to get even the most basic complete protection - and even then a lot of the off-the-shelf packages are less good than you might believe.  And the complexity is enough to scare off even an expert.  

Handling basics first

It does not have to be this way.  We believe that the apparent complexity of the subject has rendered it unintelligible to management – even the cyber-aware.  Business cases for investment in much needed capability are being rejected as much through incomprehension as insufficient ROI.  Indeed, our industry has been talking the wrong language unto management for a decade.   Purchasing decisions are taken either on price (you get what you pay for still applies) or on brand (a big, well recognised cyber brand feels safer even if it charges me a lot more for less) rather than capability and insight. We at Vauban believe that providing end-to-end solutions, using the best technology we can find in the UK, but without big company overheads, has to be the way forward.  No two customers are alike – no one size fits all – and our approach will allow the customers to buy what they need – not what we can sell.

SMEs do need to do the basics well first.  Much of that revolves around people and processes, educating their employees before even touching the technology.  Awareness (don’t leave your password lying around); education (patch the system when the patches are issued; keep your AV up-to-date; use strong passwords; use basic encryption products); training (how to spot a phishing e-mail; how to manage your web presence; basic system configuration dos and don’ts).  

We see many examples of poor security awareness in our everyday lives which can be just as damaging. The loud conversation in the bar, the interesting e-mail being written by your neighbour on the train without the privacy screen; the weak password (such as the LinkedIn hack which resulted in 117 million compromised accounts after the preferred password was revealed to be 123456) – these are all endemic.  It is almost as if people are asking for trouble, or are operating in total ignorance.   While we wouldn’t suggest that these people deserve to be hacked, it shows that people are always the weakest link in the system and should no longer live in denial that it won’t happen to them.  Employees need to know it matters, through leadership behaviour and personnel protocols – make loose information security behaviour a disciplinary offence.  And enforce it.

The internet is essential.  Like any environment there are some safety rules.  Protecting yourself doesn’t have to cost the earth and can actually enhance your future prosperity.  SMEs should not be bamboozled by corporate spin or ripped off with substandard products wrapped in jargon.  Rather they should be helped along the way by both the suppliers and their bigger customers, both of whom have a vested interest in their success.

William Egerton, Chief Strategy Officer, Vauban Cyber Technologies Limited
Image source: Shutterstock/AlexLMX