SMEs are fighting fires rather than tackling cyber defences

Only looking to cyber security after a breach is setting yourself up for failure, warns Node4's Steve Nice

Cyber security is important for SMEs - but most of them take an ‘after the horse has bolted' approach. Why are small business owners so indifferent to cyber threats until it's too late? For an answer we talked to Steve Nice, security technologist at Node4.

"[Cyber security] isn't the top of their agenda," said Nice. "An SME is running around fighting fires, trying to run their business, and I don't think that security even enters their mind unless something happens - then they fight that fire, put that out and move on to the next thing; that's the nature of an SME."

Time might be an SME's most valuable resource, and the most limiting factor in their cyber defences; but so is understanding. Nice told us that the cyber jargon so loved by security professionals - "attack vectors" and "payloads", "ransomware" and "threat landscapes" - is a real barrier to entry for business owners, who cannot spend the time to research these terms. The important thing for them is the direct value of a security solution, and how it can help their business.

Easy prey

SMEs are the low-hanging fruit of the cyber landscape; they might not have the most valuable information - little IP or saleable data - but the compensation is the sheer number of them with poor or out-of-date cyber defences. Attackers can take a shotgun approach, sending out harmful packages to many targets and then focussing their efforts on the ones with positive returns.

In some cases, SMEs can be used to access large firms, too; the 2013 Target data breach saw hackers using network credentials stolen from Fazio Mechanical Services - a supplier of refrigeration and HVAC systems. That means that SMEs could be targeted as part of a larger attack, and makes it even more important for firms to not share security information with their suppliers.

Small businesses can use this fact to their advantage by demonstrating that they have taken security seriously: "That should give a larger organisation some comfort that their systems won't be breached through an SME vulnerability... It would be advantageous for SMEs to think like that when trying to win business from a larger company," said Nice.

To show that they have a good understanding of security, Nice recommends that all SMEs take part in the Cyber Essentials Certification (CEC), as a minimum: a government- and industry-backed initiative to recognise companies with the technology and knowledge to protect themselves. "If attackers are taking a shotgun approach [and see the Cyber Essentials Certification], they'll move on to other targets... You won't be an easy target because you've already done those basic measures."

Hook, line and sinker

The CEC focuses on making sure that the basics are covered, like changing default passwords and cyber hygiene. Phishing, though, is one of the most common threats that SMEs will face, and its prevention is not dealt with by the Certification.

More education or general awareness for businesses is important to understand the threat of phishing, whether that takes the form of placing posters around the staff canteen or sending employees on a training course. Nice's advice for those who have been the target of a phishing attempt is very simple: "Pick up the phone!" Calling the person who supposedly sent the email, or responding in an entirely new email thread, is a fast way to confirm whether the message was legitimate.

SMEs are fighting fires rather than tackling cyber defences

Only looking to cyber security after a breach is setting yourself up for failure, warns Node4's Steve Nice

Phishers tend to use email as their attack vector, as do ransomware authors. Ransomware is a threat to companies of every size: "We've come across large and small businesses where the anti-virus isn't up to date and fit for purpose; people have turned it off because it slows the machine down," said Nice. However, SMEs are usually more at threat from such an infection, due to low cyber security; lacking a dedicated IT person; and insufficient backup processes.

Websites exist that help people to recover from ransomware and decrypt their own files, but again they require a fairly high degree of technical knowledge - and time - to understand.

The biggest risk of BYOD is data leakage

The bring-your-own-device (BYOD) trend frees businesses from providing hardware, and can make employees more comfortable by enabling them to use their own phone, tablet or laptop. However, there are security implications.

"I think that the biggest risk of BYOD, as opposed to cyber security, is data leakage," Nice tells us. "Where you're accessing documents or emails and that data, without you even knowing, is being stored on the device. That device then goes off-site, out of the SME's control, and it can be left or stolen."

Nice recounts an example that Node4 dealt with recently. A client company was suffering a brute force password attack on a user's email account, which was tracked down, using Node4's monitoring tools, and found to be coming from a single device: an old Blackberry phone that the user had given away over a month ago, without removing his email account. He'd recently changed his password, meaning that the new owner of the phone had had unrestricted access to company emails for more than 30 days.

Mobile device management (MDM) software exists to minimise these risks: staff can still use their own devices, but can only access corporate information when conditions are met, i.e. certain times or from a specific IP address. Some MDM software forces users to enter a walled garden application area, so that corporate data is never actually on the device.

Time, as we said at the top, is an SME's most in-demand resource, and Nice acknowledges that MDM, like many security solutions, need a significant investment - but of course, he has an answer:

"These are all solutions that need setting up and managing, and the cost can escalate... You obviously need that time to set them up properly and manage them - which is where our SOC [Security Operations Centre] services comes in. We manage it for them."

SMEs must start taking cyber security seriously. It's tempting to think that the data you hold isn't valuable to a hacker - but then, why do you have a business in the first place?