How SMBs can build their defences
The number of security breaches occurring throughout larger enterprise and SMB continue to rise. What’s concerning is that these breaches still occur regardless of the millions of dollars that some larger enterprise spend on the latest IDS / IPS, DLP, SIEM, firewalls etc. The breaches we hear about are generally reported due to either the sheer scale of the breach and/or who the corporation is, but the ones we don’t hear about are the breaches happening in small to medium business (SMB) every day. Larger corporations generally have the resources and time to undergo a period of review, change their branding and offer free services to their customers to make up for the financial and reputational damage. In essence having the marketing resources to turn a negative into a positive.
SMBs don’t have the same level of resources and capacity that larger corporations have, therefore, the effects of a breach can be amplified to the point of catastrophic consequences. There is a good quote in the 2018 CISCO Threat Report that said “Small to medium business are dynamic – the backbone of innovation and the poster child of hard work. They run even faster and work even harder than enterprise peers and they are exposed to the same cyber threats”. Whilst they are exposed to the same cyber threats it is in fact on a bigger scale. It probably wouldn’t surprise you to know that 58% of all cyber attacks are against SMB and that the majority of those breaches are actually less likely to be technical issues as they are to be one or a combination of a human, process and strategy issue.
The predictions aren’t any better. According to Allianz the current global standalone cyber insurance market is at around $2bn – $3bn in premiums, and could reach $20bn by 2025. It is estimated by 2021 cyber-crime will cost the global economy $6 trillion. Ransomware damages alone are on track to hit $11.5 billion in 2019, at which point it is estimated that a business will fall victim to a Ransomware attack every 14 seconds. Globally, the average cost of a cyber breach to a SMB is $2.2 million. Furthermore, the number of IoTs outweigh the human population, therefore, significantly increasing our threat surface without increasing our protective measures. So, with all the statistics and fear surrounding breaches why are they still occurring on such a significant scale? Especially, when we are seeing incredible developments in AI based AV software, firewall and detection technology etc. It really boils down to three key areas for SMBs:
NIMO – Not in my organisation
SMB often feel they are not worth the attention or are somewhat less of an attractive target than larger corporations and, therefore, don’t need to adhere to the warnings. Not only do the statistics prove that assumption incorrect but it’s that exact attitude that the threats are looking to exploit. The scary thing is that it may not even be a tangible threat that breaches your company’s defences, such as a network of bots acting to harvest the computing power for bitcoin mining or run DDoS attacks against another organisation. The issue with a NIMO attitude means that the solution to a breach is reactive, and when you are time and resource poor it’s too late. Research conducted by the Economist Intelligence Unit highlights that a proactive security strategy reduces the likelihood of a breach by 53%.
Understanding the threat
This goes hand in hand with NIMO. Whilst SMB feel they are a less attractive target and not worthy of the attention, the threat thinks the exact opposite. There are two things that SMB need to understand when developing their threat assessment. The first is they offer easy gains to criminals, who are less likely to be pursued by authorities than if they had breached a larger well-known corporation. The second and most important aspect is that SMB are a means to an end. A stepping stone so to speak that enables the threats to land the bigger targets or as I discussed early, covertly harvested your computing power to conduct a DDoS attack on another organisation.
Establishing a secure framework to protect critical business assets is largely seen as expensive and outside the scope of SMB knowledge, skills and expertise. It has been mentioned that there have been and continues to be incredible advances in threat prevention and detection technologies, but they do not come cheap. The costs rise quickly especially when added to data storage, hardware, software, maintenance, IT support requirements etc. It is understandable that operational, marketing and growth costs etc. are given priority.
However, breaches are less likely to be a technical issue than they are to be a human, process or strategy issue. That’s because organisations are failing to identify the root causes to their issues and largely think that they need to apply expensive technology-based solutions. The cost and benefit of conducting staff awareness training, instigating a change in strategy and culture (leadership) or developing interactive procedures outweighs expensive standalone technologies.
The threat landscape is only going to become more complex. Advances in bandwidth and mobile technology is making it far easier for employees to transfer data on the move, therefore, creating more attack opportunities. The proliferation of IoTs has also significantly increased the attack vectors. People are becoming more transient looking for better opportunities, pay and promotions. Gone are the days where an employee remains with the same company for years on end. The end state is the loss / transfer / theft of your company’s valuable IP / sensitive information to the competition, all because the controls (cost effective and easy to implement) were not in place to protect it.
Especially concerning is the lack of understanding about our “real lives” versus our “digital profiles”. People see themselves as separate to their digital personas and are protective of that as personal space. However, they are far from separate and the connection between the personal profile to the work profile is interconnected, making it easy for threats to exploit and move laterally from one to the other.
Equally concerning is when you hear about SMB breaches, because the root causes are on the whole relatively easy to fix. What’s harder to change, is the mindset and culture. It is not an overnight process but one that needs to be implemented from the top with good leadership and driven from the bottom by a workforce with a strong security culture.
ARX has asked a number of CEOs and executives the same question – “How do you make the decision makers value the money they haven’t had to spend”. Because, when a breach occurs it is not just about the cost of first order effects. It’s the damage to reputation, lost revenue, loss of trust, breach of privacy laws, lost investment in IP, delays in production / capability milestones, failed mergers and acquisitions, legal fees and the list goes on. It is the cost of the second and third order effects that mount up, compound and drive SMB’s under. The best answer I got was, CEOs walk a tight rope each day, where it becomes a balancing act and gravitational fight between governance, finance, human resources, security and operational requirements. So, it is easy to see from this analogy that priorities often fall elsewhere and the thing that actually hasn’t happened yet, gets put to the back of the line.
Here’s the thing that gets misunderstood by SMB and for that matter larger enterprise. Improvements or enhancing your security framework don’t need to be financially burdensome or require employing the most advanced, thus expensive, technologies. Examining what the root causes are to the issues, developing sound strategy and changing human processes are the most effective measures. Yes, it requires hard work and time, but the payoffs of being proactive can reduce the financial effects of a reactive approach significantly.
The first step in ARX Risk’s proactive approach is to understand the threat environment, specific to your operational market, this will allow you to focus resources and efforts in the right areas. We call this economy of effort. To often organisations apply a scattered approach to applying security controls, mostly technology, without properly assessing where the vulnerabilities actually are. This leads to inefficiencies and unnecessary over spend.
The second step is to understand exactly what you need to protect by asking the following four questions:
What do I need to protect?
Why do I need to protect it?
When do I need to protect it?
Where do I need to protect it?
Essentially, this step is about defining what your critical business assets are. At ARX Risk we define critical business assets as: Infrastructure (technical and non-technical); Personnel and Intellectual Property (this includes sensitive information). It is important to remember that critical assets are not necessarily fixed. Therefore, the security framework you have in place needs to be fluid and flexible, capable of creating a mobile security bubble that extends beyond the organisation’s walls but has connective tissue with the organisation. A good example is how our Military and Intelligence Services protect our national interests. Operations to defend those interests don’t just stop at our borders. Our Military and Intelligence Services work tirelessly beyond our borders to protect what’s within them.
The third step is to test your threat assessment against your existing security controls to determine if you are actually protecting your critical assets. The following is a set of principles that we recommend you use when testing your existing framework:
You’re only as secure as your weakest link
Just as the 2018 CISCO Threat Report highlighted, SMBs run even faster and work even harder than their enterprise peers. Often to achieve that level and competitive advantage they utilise third parties to support their operational outputs (MSP, contractors, supply chain facilitation etc). Understanding how others are treating your information and access, within their own organisations, to your information is probably one of the most important aspects of building the right security framework.
Put yourself in the shoes of the threat then ask yourself: Why would I go after one SMB when I can go after the MSP that supports 80 SMB? The Australian Cyber Security Centre has released some good examples of questions organisations should be asking of their MSP. These also apply for other interested parties that have potential access to your critical assets.
Integration of controls
At ARX we refer to this as the “one is none” principle. Its Murphy’s Law that when you need something to work it won’t. That’s why contingency planning is critical to operational success. Technology alone will not protect your critical assets. The technology must be integrated with human and physical controls. Otherwise it is just a standalone procedure that can be exploited by the threats.
Interactive within the workforce
The policies, procedures and controls you have in place must be interactive, so that people thoroughly understand all aspects of why they are employed and what they are trying to achieve. Where applicable, those in technical positions need to know how a control is engineered, its vulnerabilities and the procedures required to operate it. It becomes much easier to implement a policy and procedure when your workforce understands why it is important.
Whatever controls or procedures are in place, they should be interoperable with the organisation’s operational processes so as not to impede its agility. Additionally, they must be focused in the right areas – economy of effort.
Failure breeds success
Training to failure will build your organisational resilience. Only when you know how and why something is broken can you know how to fix it. Testing your procedures, policies and controls through realistic and purpose designed training will allow you to identify where the improves and fixes are required. This continuous improvement philosophy in championing your organisation’s security framework will significantly improve the chances of success when you are faced with challenges.
Culture is king
Fundamentally this is the most important principle. The right security culture within an organisation is developed through sound leadership but maintained by the employees. Handing over responsibility to the employees to drive that culture will give them a sense of ownership. That ownership and responsibility is what creates the willingness to address issues when they happen or become more situationally aware, because they are protecting something that has a tangible effect to their job security.
There is no doubt that the threat landscape will continue to become more complex by the day. In order to effectively mitigate the threat, it is important that organisations and leaders re-evaluate how their defences are laid out and whether there is an insular reliance on technology over a defence in depth approach that encompasses the full spectrum of security controls. Specifically, there are some key takeaways for SMB to reduce the likelihood of their exposure and exploitation.
- Your organisation is not immune. You need to think that you are more likely to be breached. The statistics prove it.
- Remember a “breach” is not just outsider hackers – internal mistakes are also 50% of security breaches.
- Before you can effectively implement technology-based solutions, you need to understand the threats, what you are protecting and what your overall strategy / mission is.
- Establishing a security framework does not need to be a financial burden. Leaders who own problems and employees with the right culture is the best form of defence.
- If you don’t know how third parties are protecting your information then you are not protecting your information.
Be proactive not reactive.
Ultimately CEOs and executives need to ask themselves – Have we taken the appropriate measures to mitigate the threats? If you haven’t and a breach occurs, what confidence will the board of directors and shareholders have in your ability to prevent future breaches, how much will your reputation and personal brand be damaged?
In the next edition we will take a deeper look at the principles to help SMBs protect their critical assets.