Size Doesn't Matter or at least it shouldn't when it comes to security. But it's not always easy for smaller businesses to achieve enterprise-class protection. Check Point’s Technical Director, Tom Davison, highlights the measures SMEs can take to increase their security stance.
IT security has no respect for size. A hacking group can have hundreds or thousands of members globally, like anonymous, or just a handful, like the group that mounted the successful Eurograbber attacks against banks in 2012 – but in either case, the disruption to the target organisations is equally severe.
It’s the same with the organisations targeted by criminals: just because a company is small and relatively unknown doesn't mean that it's safe from attack. SMEs are being targeted as part of a widening of the net for cybercriminals. Research done in 2013 by the UK Government’s Department for Business, Innovation and Skills found that small businesses are facing a greater threat of losing confidential information through cyber attacks than ever before. 87% of small businesses across all sectors experienced a breach during 2012, up from 76% in 2011. Furthermore, the average cost of the worst security breach for small organisations was between £35,000 and £65,000.
Why pick on me?
With the current trend in attacks focusing on targeted spear-phishing and social media profiling to gain access to networks, criminals are focusing on organisations that have assets that are of specific value to them. So SMEs may be targeted as a stepping-stone from which to attack a partner company, on the basis of exploiting any chinks in a supply chain.
A high-tech start-up, for example, might be developing intellectual property for a much larger partner, or a small financial PR company may hold draft information about a critical upcoming deal for a FTSE100 organisation. This was the situation in the Global Payments card processor breach in 2012, which affected hundreds of thousands of Visa and MasterCard holders. The smaller company was holding valuable assets that may have been harder to obtain from the larger firms, which made it the target. Attackers are also gambling on smaller companies having fewer security controls and fewer layers of security.
Of course, this may not always be the case, but in general there is a correlation between a company’s size and the time and resources it has available to focus on security and its management. Organisations typically use around 6% of their total IT spend on security – which means companies with smaller budgets need to allocate the security portion of that budget as wisely as they can.
The security shopping list
So what security should organisations look at investing in? In terms of protection, the same rules apply for SMEs as for any size of business: they need to decide which of their assets are business-critical, then put policies and solutions in place to protect those assets and mitigate risks to them.
Until recently, this would have demanded a disproportionately large investment from smaller businesses in security. However, two developments have enabled SMEs to protect their assets with enterprise-level security.
Firstly, the cloud model enables organisations to deploy security quickly, have that security managed for them (with solution and threat updates managed by the cloud security provider) and of course with little or no upfront capital outlay, and predictable monthly costs. What’s more, advanced, integrated services can be delivered this way – from antivirus and firewalling through to web application and social media control. This allows companies to focus on business issues and growth, and leave the network protection to the professionals. There is a range of cloud security services available from established leaders in security, making these an attractive option for companies looking to minimise capital outlay. As security threats become more sophisticated and ever more frequent, it’s a problem for even the best-resourced corporate security teams to stay ahead of the curve, so fully-managed cloud services can remove a management headache for smaller firms.
The second option is made possible by the cost-of-entry for flexible, upgradable on-premise security appliances dropping dramatically. This enables comprehensive, integrated security capabilities that were previously the preserve of larger organisations (such as virtual private networking, intrusion prevention, anti-spam, application control, and URL filtering) to be accessible for hundreds, rather than thousands, of pounds. For many firms, this puts advanced security within much easier reach of that 6% of business IT spend that we mentioned earlier.
As mentioned earlier, the size of an organisation has no bearing on its security readiness. A key contributor to this is employees’ awareness of IT security issues. In our 2013 security report, we found that 54% of nearly 900 organisations surveyed globally had at least one potential data loss incident as a result of emails being sent in error to an external recipient, or information being incorrectly posted online. We also found 52% of employees risk committing a breach in the workplace by engaging in unsafe computing practices.
It is these simple, human errors that attackers look to exploit: tricking an unsuspecting employee into clicking a link in a phishing email that will infect their PC, or inadvertently posting sensitive information to the wrong website. Unfortunately, we’re all conditioned to trust others, and it’s a difficult mind-set to change because employees want to be helpful, and want to feel they are doing their jobs effectively.
This is where employee education can play a key role in boosting security: making staff aware of the potential risks and threats, and how their behaviour can mitigate these risks by avoiding phishing emails, fake websites and more. And it’s here that smaller businesses have an advantage: they have fewer employees to educate. It’s often these simple measures that can be the difference between a security incident and ‘situation normal’.