Security Summit 2017: You must understand the threats you're facing before spending money to counter them

Nick Ioannou of Ratcliffe Groves Partnership says that small businesses' agility can be a game changer in the war on cyber crime

Cyber security is just as important for SMEs as it is for multinational firms, but many small businesses think that they lack the budget for defences - making them low-hanging fruit for attackers. Strong protection doesn't have to cost, though; it's all about understanding the avenues of threat.

Nick Ioannou is the head of IT at Ratcliffe Groves Partnership: a small firm employing around 40 people, with 50 endpoints, but clients including Sainsbury's, BAE Systems and Aldi. He told attendees of Computing's Enterprise Security and Risk Management Summit that the first step in protection is to take a step back and ask: how do the criminals make money?

The most dangerous form of criminal activity is unauthorised use of company assets such as PCs; they can then be used in a botnet, or for cryptocurrency mining. Importantly, access to company assets allows attackers to move laterally through the network and perform extortion (ransomware, DDoS), fraud (fake services, money transfer scams) and theft (of log-in credentials, data, etc).

Wear eight bulletproof vests

There are six areas to focus on for cyber defence:

• Antivirus
• Patch management
• Email filtering
• Web filtering
• Admin privilege
• Access control

No single solution will cover all six; true security requires understanding where the biggest threats are coming from, and for that there are three more areas to focus on: backups, forensics and monitoring. "Being able to work out what happened is just as important as defending yourself," said Ioannou.

Rather than relying on a single app, Ioannou prefers the layered approach to security, with different programmes to handle emails, DNS filtering, firewalls, web filtering and so on. He calls this "Wearing eight bulletproof vests."

Putting too much reliance on one product is a trap that many companies fall into: "They'll buy a Ferrari when need a 4x4… They'll be sold on some vendor's fancy product and then be told ‘We haven't got the budget [for anything else]'."

The natural result is high costs, but it doesn't have to be this way. Ratcliffe Groves' cyber defences cost just £22 per user per month, and that is how Ioannou describes costs to the board; sometimes he'll be even more granular, breaking down to weekly or daily figures. The point is to avoid throwing "big, scary numbers" around. For example, rules are a good (free) way to cut down on spam email.

Ratcliffe Groves also uses that layered approach to block the different elements of cyber crime. Staff training handles fraud; Ioannou runs quarterly sessions (each only 20-30 minutes long) to educate workers on social engineering tactics. The move towards two-factor authentication is a great start at addressing the threat of theft, and encouraging staff to sign up to 2FA services in their personal lives - for example, for Amazon or PayPal accounts. Software such as ZScaler is used to cope with unauthorised use of assets; these apps are the same used by multinational enterprises, but "They aren't out of reach for small businesses," Ioannou said.

Layered security is not without its problems, though. An audience member asked about the performance hit when running multiple endpoint products, which Ioannou admitted was "massive."

"That's the problem with layering up," he said. "You need to constantly tell CyberArk that FSecure is safe. Most of my job is bug fixing."