Pushing cyber up the agenda in SMEs

Pushing cyber up the agenda in SMEs

Image:
Pushing cyber up the agenda in SMEs

Small businesses are under the cosh when it comes to security. We ask four IT service providers for their take - and it's not all about hiring them

IT teams in small and medium-sized organisations have to react quickly to events, frequently with limited resources. Even though they may have grown accustomed to firefighting, the last couple of years have been particularly testing, and the pressures show no signs of letting up.

We asked representatives of four service providers about what they see as being the priorities and challenges for SME IT teams, and to suggest approaches - while avoiding pushing their own offerings.

Working from home

Supporting WFH is undoubtedly one of the biggest challenges for IT teams, and for many SMEs a happy post-pandemic balance between remote working and office attendance has yet to be reached.

"Today, we have a mix of approaches coming up," said Denis Dorval, VP EMEA at directory-as-a service provider JumpCloud.

"There are those desperate to get back to the office, because their management approach is based on seeing people to know that they are working, and there are others that have embraced remote and distributed work so they can cut their office bills.

"For the IT team at small businesses, this can add to their workloads, when they are already stretched, so looking at automation to help on regular tasks will be on the agenda."

For most SMEs the situation will not return to pre-pandemic norms, in part because employees will vote with their feet.

"Employees are expecting greater autonomy over where and when they work," said Mike Revell, managing director at integrator activereach, explaining that any one-size-fits all provision is likely to fail.

"IT policies that may have worked across departments may now need to be personalised down to the individual level."

This personalisation includes a need to support devices of the users' choice, in an echo of BYOD discussions a few years back. Dorval cited the increasing use of Apple's computers, which were once mainly the preserve of designers.

"The percentage of Macs in business has grown - Forrester estimates that the percentage of Apple devices in offices has doubled. This makes things easier for users and helps them feel more productive, but it does add to the security management headache for sysadmins."

Compliance is another area that can tie under-equipped IT departments in knots.

"We always start with compliance whenever we approach an IT problem," said Cherie Pitcher, CIO at MSP Employee Zero.

"Organisations are always bound by some level of compliance, whether self-imposed by internal IT policy, or from international standards such as ISO 27001 and Cyber Essentials. If there is an IT problem to solve, it will likely tie into a compliance need such as securing personal data or protecting intellectual property. Start with compliance, and look for your solution from there."

Cloud

One way that organisations have sought to alleviate the challenges posed by the sudden increase in home working is by moving workloads to the cloud.

"For years now, SMB IT leads have been looking at deprecating their reliance on physical hardware and boundaries, and instead focusing on a cloud-first approach. Only recently has it been possible to achieve this with enterprise grade solutions at the SMB scale," said Pitcher.

However, cautioned Revell, operating a hybrid cloud infrastructure can open up new vulnerabilities that existing security solutions and partners may be ill-equipped to cover.

"Businesses should not be over reliant on yesteryear's IT service providers purporting to be a one-stop-shop for everything IT related. The majority of these small business IT service providers offer no more than firewalls and off-the-shelf antivirus solutions. Security is a different kettle of fish, and businesses would be wise to look at the various managed security services (MSSPs, SOCaaS etc) options available and speak to specialist security system integrators to get an independent view."

Keeping secure

Of all the demands on a small IT team, cyber security is arguably the most challenging. The move to remote working has increased organisatons' attack surface at a time when we are witnessing a barrage of ransomware assaults, state-sponsored actors and the rise of supply chain attacks. Added to this, experienced cybersecurity professionals are hard to find and expensive, and the rate of attrition is high.

"Businesses of all sizes are vulnerable to cyber attacks, but SMEs have perhaps a greater challenge due to smaller IT budgets and the lack of skilled resources to combat more sophisticated techniques adopted by adversaries," said Alex Jinivizian, vice president strategy at security company eSentire.

"Many SMEs don't have the luxury of a CISO, a general counsel, or even a Security Operations Centre (SOC), so often rely on their IT department to manage most aspects of security."

It's helpful to break security down into three buckets, he said: prevention; detection and response; and recovery and remediation. SMEs are most likely to be successful in the protection stage, but may struggle with the other two categories.

Jinivizian pointed to the UK government's most recent Cyber Security Breaches Survey which found that 39 per cent of UK businesses had experienced an attack, with one in five of those identifying a more sophisticated attack type - such as denial of service, malware or ransomware - behind the initial breach.

"SMEs are much more limited in the tools and security analyst expertise to identify and isolate threats that bypass preventative controls, and that involves detection and response capabilities," he said.

A service provider advising that customers need more services is perhaps unsurprising, but it's true that MSPs have access to and experience of tools and techniques that can lighten the load, particularly around security.

"It makes sense for IT teams to consider new proactive approaches that release time to focus on the day job," said Revell.

These approaches include Managed Detection and Response (MDR) solutions and other services that can reduce the volume of alerts by automatically handling routine tasks. It may also be possible to standardise and simplify the infrastructure to make patching easier, for example.

"Getting out of the quagmire of day-to-day tasks should free up your time to take stock and look at how things can be improved," Revell said.

Pushing cyber up the agenda

In many SMEs, despite the best efforts of the IT team, cyber security is not always top of mind for management, and therefore tends to be under-resourced.

According to Revell, an important step to pushing cyber up the agenda is to split it off from the rest of IT: "Provide a separate budget for IT security than general IT operation budgets, highlighting the importance of building the right level of cyber security."

Pitcher agreed that management tends to underestimate the risk.

"There is a common misconception that somehow SMEs are less susceptible to threats as bad actors are more likely to target larger enterprises," she said.

"This is not the case, as SMEs have very limited mitigations in place, and limited provision for business continuity and disaster recovery."

Dismissing or downplaying the threat to SMEs because they are not an obvious target ignores the fact that they may be hacked as part of a supply chain attack, or that their relative lack of defences might make actually them an easy target. Above all, said activereach's Revell, it's important that organisations don't outsource all of their security capabilities.

"Do not think you are washing your hands of the cyber security problem once you have outsourced certain security operations in terms of management, detection and response. All companies and organisations need to recognise that building an internal cyber security function in house is imperative for the future business survival."

As well as the functional ‘security buckets' described by Jinivizian, other areas of IT strategy should also be split into bit-sized chunks, according to Employee Zero's Pitcher.

"SMEs can get ahead by investing time in a connected approach to IT, consulting with industry experts and spreading the burden. An incremental approach is better than no approach. Breaking it down into more manageable deliverables is key," she said.

"Robust IT policy, a BCDR plan and Standard Operating Procedures (SOPs) to mitigate security risk and ensure operational effectiveness are key."

Employee experience

In formulating policies and plans, IT leaders should always be mindful of the impacts on the workforce. After all, an experienced and talented IT team is hard to build, and easy to break.

"It's worth remembering that an effective approach to IT should always consider the end user. Employee experience with your technology has a huge effect on operational efficiency of the wider organisation, not to mention talent retention," said Pitcher.

"IT should always be an enabler, and increase efficiency within an organisation. If it isn't, then in the words of Steve Jobs, 'you're holding it wrong'."

Deskflix: The Future of Technology for SMEs takes place next month. Register for free today