Sophos Cloud Optix
Earlier this year, the Department for Business, Innovation and Skills (BIS) reported that 93% of large businesses fell prey to a cyberattack in 2012.
Similarly, small and medium-size businesses (SMBs) also suffered, with 87% being targeted – up 10% from the previous year.
Now, the reasons why SMBs are at risk has been examined in detail in a recent Sophos-sponsored report by the Ponemon Institute.
The report – The Risk of an Uncertain Security Strategy – surveyed over 2,000 IT security managers within organisations employing up to 5,000 people.
Given the job roles of the respondents, some of the findings are quite staggering with 44% of those surveyed saying that a strong security policy is not a priority and 58% claiming that management do not see cyber attacks as a significant threat.
Other barriers to implementing an effective IT security strategy were also identified with 42%, unsurprisingly perhaps, citing a lack of budget as a large factor. Another major issue identified by the survey was a lack of skilled personnel.
Other findings in the Ponemon report are even more concerning.
Considering the fact that respondents in the survey are all responsible for managing the security function, I find it quite alarming that 1 in 3 admitted that they did not know whether their organisation had been subjected to a cyber attack in the last twelve months. Such a lack of knowledge would seem to suggest a deficiency either in the monitoring and reporting of incidents or with the IT management itself.
Also, the Ponemon Institute discovered that those in more senior positions seemed to have the least knowledge of the threats posed to their business, which is again a concern as they are likely to be the decision makers who would deem whether a particular threat should be a priority or not.
Interestingly, 31% of the individuals surveyed said that there was no particular person within their company with responsibility for making security decisions.
Another discovery was that SMBs struggle to assign a monetary value to information assets. If an organisation does not apply a cost to its assets then how can it determine their value and, hence, the appropriate level of security protection to apply to it?
The topic of mobile devices were of concern to the individuals surveyed, especially given the widespread adoption of BYOD which they reported. Many respondents said that their organisations are planning to invest in technologies to reduce BYOD risks as a result.
I was pleased to see that 51% of respondents did not equate regulatory compliance with a strong security position, given that remaining compliant shouldn’t be the goal and rather should be a by-product of good security.
So what can SMBs do to improve their knowledge of cyber threats?
Sophos recommends the following:
- Proactive monitoring, detection and reporting on threats to enable quick and incisive decision making
- The establishment of mobile and BYOD policies
- Where in-house security resources are limited, better planning and adoption of cloud technologies, consultants and easily managed resources can help to free up the organisation’s information security professionals
- Costing of information assets and downtime so that senior management can invest in cost effective solutions to protect them
- Working with the higher echelons of management within the business in such a way that they place a higher priority on cyber security
You can read the full Ponemon Institute report here.
Is it perhaps because some security product vendors are touting their offerings as the be all and end all of Security products? Most senior managers believe that if you have AV then you’re covered.
It’s a mindset I struggled to convert when implementing a patch management process for 6000 computers that hadn’t been patched for over 4 years for a local government authority. Conficker soon changed their minds as the AV client at the time decided to disable itself just at the right (or wrong) time. It reaped havoc…. the only saving grace were the firewalls between network segments to block the malware from propagating to other remote sites.
Now they patch monthly, use Host and Network IDS/IPS, implemented Log consolidation, multi-factor authentication, strict Firewall rules, blah, blah, blah…. But then, PSN regulations expect it.
Problem is, there’s a large element of resource that’s required for monitoring and maintaining the technology involved. But then it depends on how much they value their data or their integrity.
Hopefully they fired their IT Manager.
Do you think this article will add fuel to the fire…if you’re a wanna-be hacker or cyber-attackerand you read this article…what might you be persuaded to do?…precisely…
I’ve done some work the last couple years at a couple small companies in southern California and their computers were a mess. Most had no anti-virus software on them. They had viruses on a couple computers. Small companies seem to have someone set their computers up and then that’s it. They don’t even want to spend money on anti-virus or anti-malware software. I guess it cuts into their profits too much.
And yet my small company (5 people with a desktop each plus a couple spare) all run updated AV and computers are fully patched. We don’t even have people in to install our machines, we can’t afford to have expensive maintenance contracts and have therefore kept up to date ourselves on how to keep safe.
We haven’t had any virus issues for years (since I insisted on AV for each machine) and only had one or two issues where people have been caught out by browser downloads which were more than likely human error than security failings.
It can be done but the will to do it has to be there.
It can be done but most SMB’s don’t seem to think it’s important. They have other things to deal with. It isn’t hard to do really. I guess if they get hacked and lose a lot of money they’ll come around when they have to deal with upset customers.
The survey reveals the awful truth that most people don’t even think about security until they have a catastrophe.
It’s not like good security practices is some kind of secret. It’s just not on most people’s radar. At all. A massive “public education program” might put a dent in it, but unless people are taught good security practices from the get-go, starting at an early age, there will never be anything like widespread security consciousness.
Consequently, the principal vector for security awareness is likely to remain The Bad Experience™, wherein folks learn about it the hard way. When that happens to enough people who talk about it, then maybe things will start to change.
Most companies have CXO’s who are not-so-techno-savvy and they are not aware how the security scenario has changed. They feel and they think no body is interested in their small company whilst the cyber crooks are well aware its easier for them to target and compromise 10 small companies in a single day while they may not be able to get past the first level of security of Big Corporates. The poor knowledge and attitude is what has resulted in attacks in past and the trend seems to be increasing because the SMB’s neither have technology nor resources to tackle the cyber crime.
You know, studies like this are sort of helpful by shedding light on the situation, but they’re not nearly as useful as helping IT people at SMBs get the tools they need to follow this advice.
* What methods exist for estimating the value of your company’s IP, downtime, or wasted resources?
* What monitoring tools are available if you can’t convince the company to pay for them? How do they compare to paid tools? How much time does it take to set up and use each tool?
* By what methods can you show senior management that “Only hire competent, honest people” is not a viable strategy? Or similarly, that extra security precautions don’t mean that IT hates people or is paranoid.
* How do you measure the security of cloud venders, the competence of consultants, or show that you get monetary value out of either?
In most SMBs I’ve seen, you’re lucky to have a handful of people with a background in desktop support. And if one of those people has a personal interest in security, you’re even luckier. And if that person has enough free time to actually dedicate to saving the company from itself, you’re extraordinarily lucky or that poor person is about to get fired for “neglecting their duties” (or both). We’re having these problems because there’s no support (or money), no education, and no incentive to fix them. It’s great to quantitate the problem, but how about actionable ways to fix it?