The cyber security delusion in small businesses

null

Cyber security has become a fundamental component of business operations. The ever-changing threat landscape demands investment in security policies, procedures and products no matter a company’s size, market or location.

Many small businesses however, appear unaware of just how threatening the world has become. From the use of mass targeting techniques to identify thousands of small business targets, to the changing data protection landscape and the risk of punitive fines should sensitive data be compromised, locking down business data is – or should be – an imperative.

Despite all this, many cyber security tools have failed to keep pace with threats, unlike Anti-Virus software, and many security products have simply not been designed to meet the needs of small businesses.

Faced with complex administration tasks and a lack of expertise to define and manage security policies, many small businesses continue to put cyber security to one side.

In this article, Paul Rosenthal, founder of cyber security solutions provider Appstractor, looks at why small businesses need to take security seriously and outlines the steps any business owner can take to ensure they are addressing modern day cyber threats.

The safety delusion

Many small business owners are aware of cyber threats, but for the most part, attacks are referenced in the context of state sponsored cyber terrorism, threatening the infrastructure of countries or large multinational corporations.

With this in mind it is tempting for small businesses to believe they are irrelevant to the new scale cyber terrorists. But this is a big mistake.

It is that very too small to be targeted mindset that is putting small businesses at risk of mass targeting attacks.

Individual small businesses may not be specifically selected by criminals, but they are being routinely targeted as part of mass surveillance activity, with targets being those organisations that are not adequately protected exactly because they are under the delusion they are too small to be a target.

With automated tools able to locate thousands of targets a day, it takes a criminal less than an hour’s work to determine the target business’ value and then step up the payload.

While it is true the Chinese government may not be aware of a single small business – you can guarantee there are tens of thousands of criminals and fraudsters leveraging low cost automated technology to seek out vulnerable small businesses, right now.

The complexity of cyber security

With so many small time, online criminals and fraudsters using new generations of easily available automated tools to target small businesses and consumers on an industrial scale – strong security has become essential.

However, one of the big problems business owners face is that so many of the security products on the market are just too complex to implement properly.

Even basic functions such as resetting a user password on Office 365 can be baffling, leading to passwords being written down on paper, or even texted to other employees.

When security features are too complex, the result will be employee workarounds or incorrect usage that leaves the business completely vulnerable.

Online encryption products are a prime example of the problems facing small businesses when it comes to bringing in defences.

Most of the encryption products being developed are created with the top end user in mind like a large organisation or government – these are simply not accessible for small businesses.

At the other end of the market are the consumer products designed for the individual user.

These products don’t scale well to a business environment because they are designed to be interactive – requiring users to actively configure and use the technology.

Considering a business with dozens of employees, each with an office desktop, home laptop and mobile phone – all of which need to be secured to be used for business – the consumer products will inevitably lead to either an untenable administrative overhead for already stretched management, or low adoption levels.

Online encryption is imperative

With tens of millions of consumers investing in online encryption to protect their private data from compromise, the fact that so many small businesses are still operating without online encryption is a concern, especially when they are asking for consumers to share data with them.

Some existing, and certainly incoming regulations are moving to change this attitude and enforce a security first culture on business, particularly the soon to be implemented General Data Protection Regulation (GDPR).

Under this regulation businesses risk penalties of up to €10m or 2 per cent of annual global turnover, whichever is highest, or €20m or 4 per cent of annual global turnover, whichever is highest – depending on the specific GDPR regulations that are breached.

Considering this level of penalty, can any business afford not to invest in cyber security?

Yet still too many organisations are failing to understand the level of risk – in part because the cause and effect of an online breach is not always obvious. While everyone knows the hell that can break loose when a virus infiltrates the system – hence the near ubiquitous usage of anti-virus by both businesses and consumers – the same understanding does not apply to data encryption.

The administration challenge of online encryption

To date, ensuring online encryption has been deployed properly on every device within a business, and that it is being properly used and complied with has been an unmanageable overhead that simply cannot be addressed by one small business person, or part time IT person. There are not enough skills and certainly not enough time.

This administrative nightmare for smaller businesses is causing chaos when it comes to those businesses which want to deploy cyber security but can’t figure out how to continually monitor solutions to ensure they are used correctly, or convince their employees to take the risks seriously.

Small business online encryption must be developed to replicate the ease of use associated with more mature safety products like Anti-Virus, with the same ease of installation and providing the ability to track and monitor to ensure all employees are using the technology correctly at all times.

Cyber-attacks are a threat to all businesses, of all sizes, all over the world.

Whether it is large scale state sponsored attacks on infrastructure, or simultaneous automated attacks on tens of thousands of small businesses, the threat is very real.

Every organisation requires new security procedures and a robust process of implementation and usage - and a way to ensure that every employee is complying with the new security policies.

Paul Rosenthal, founder and CEO, Appstractor Corporation
Image source: Shutterstock/deepadesigns