Cyber for SMEs - making security affordable and accessible
Guest blog by Nic Miller vCISO at Aedile; Sympatico's partner at our forthcoming data breach and cyber incident planning Masterclasses.
In 2018, cyber security isn't just for large enterprises. Companies of all sizes, from coffee shops, banks, charities and startups need to be suitably protected when it comes to cyber security.
What are the threats to small businesses?
The last 18 months has seen a flurry of reporting around cyber attacks but this reporting can be flawed for several reasons. Cyber attacks are all reported as highly sophisticated and highly targeted, that it is impossible to adequately prepare and that cyber security begins with spending large amounts of money.
It is important to understand some basic principles of cyber attacks:
- The majority of cyber attacks are neither sophisticated nor targeted
- These attacks are relatively simple to defend against
- The majority of these defences are essentially free (no upfront cost)
Critically, don't assume everyone is getting security right. A lot of large companies are attempting to secure legacy technology estates, unable or unwilling to commit to large scale structural reforms that are necessary to actually secure those environments. In this instance, size is definitely not an advantage.
Businesses of all sizes need to be concerned about basic cyber attacks, but all of them are capable of putting in place the necessary protections against these.
Let's compare cyber security to flood defence. Say you are building a house near the sea, then these basic, untargeted cyber attacks are like the tides. If you fail to account for them, your house will be swept away; but they are relatively predictable and with a little preparation, easily manageable. Building and maintaining basic flood defences will keep you dry. Whilst the possibility of an unexpected storm cannot be completely discounted, you can be confident that your are well protected for most day to day events.
More sophisticated cyber threats do exist, but they do not fall equally. A retail startup that collects and stores credit card data is more likely to see a sophisticated hacking attempt than a large company focusing on B2B sales. Why? For the simple reason that there is more chance of immediate profit for the attacker.
More sophisticated cyber attacks are typically conducted for financial gain, looking to obtain data that can be used to commit financial fraud or theft. Akin to building your house on a floodplain, if your business holds any of this data, it is significantly more at risk of being subjected to targeted attacks. This type of data includes:
- Personal data (can be sold & used to commit tax fraud, identity theft etc)
- Bank account data / credentials (financial theft)
- Credit card data (can be sold & used to conduct fraudulent transactions)
- Crypto-currency holdings (heavily targeted & unrecoverable once lost)
If your business holds any data [that could be used to commit financial fraud or theft], it is significantly more at risk of being subjected to targeted attacks
A minority of companies need to be concerned about attacks from state backed actors, which would be more akin to attempting to defend against tsunamis. Whilst they cannot be prevented from occurring, if you know you are at risk then with adequate preparation, training and planning their damage can be greatly limited. Here principally the majority of the threat would come from Chinese groups conducting intellectual property theft. Any hi-tech startups in targeted sectors (for example energy) may discover that they quickly have a Chinese competitor on their hands. After China's energy pivot began around 2015, there are clear examples of Chinese groups stealing data from US based Solar manufacturers which ends up in the hands of domestic companies that produce the same technology much cheaper.
Staying adequately protected
Plan Ahead - who is in charge?
There are too many companies whose first discussion on cyber is only after they have discovered a major breach has occurred.
All firms should recognise perfect security is impossible, and plan accordingly to build appropriate and proportionate defences against attack. These defences are not just technical in nature, they correspond as much to the organisational management and governance of the organisation as they do its IT assets.
All firms should recognise perfect security is impossible, and plan accordingly
All firms should have a senior executive who is responsible for the firm's cyber security efforts. Whilst there is a natural tendency to appoint this to an IT Director or other person with technical responsibility, this is not always the correct decision and may provide conflicting responsibilities at times.
It is critical that a firm wide approach to cyber security is agreed. This way it is not just technical issues that are considered in scope. Everything from what remote access you give to staff and how you verify their identity, through to ensuring that financial transactions are properly approved and not at risk of abuse or fraud should be considered in the context of the firm's resilience to cyber attacks.
Understand the firm's risks - how high does your flood defence need to be?
Proportionate security comes from understanding what level of risk is acceptable to the business. If the firm is more likely to be subject to sophisticated or targeted attacks (our proverbial flood plain), then only implementing the basic defences leaves you still at significant risk. If this is unacceptable to the firm then its security strategy needs to be implemented to a higher degree.
Agreeing and promoting what constitutes the basic or critical steps around cyber security is still a basic failing of the cyber security industry. It is all too common to see long list of hundreds of controls that are all considered "essential" that firms of all sizes are seemingly required to implement, with apparent disregard for how unachievable this is, especially for smaller firms.
There are some good resources however, that companies can use than come from the UK & Australian Governments, and another from CIS/SANS, a well known internet security organisation.
- Australian Government “Top 35” Controls (initially focus on the "Essential 8" subset)
- UK Government NCSC "Reducing the Impact"
- SANS and CIS “Top 20” Controls
If you outsource IT management to a third party, it's important to ensure that they are still implementing these basic security controls into your network.
Resilience & Testing - the calm before the storm
Regardless of whether your controls are managed internally or by a contracted third party, it's important to get them tested.
Penetration testing is a poorly utilised capability, especially in regulated industries where it being an annual requirement has in some cases fostered a "tick box" compliance attitude to conducting tests. This in turn has led some firm in to a race to the bottom of providing low quality, high volume testing.
Instead, look at penetration testing as a test that your current controls are implemented correctly. Discuss with your tester your current security posture and work together to design a test that gives you the answers you need, without unnecessarily paying to test controls you haven't implemented. For example, if you are not attempting to protect against sophisticated or targeted attacks and have only implemented the critical controls (eg: the ASD "Essential 8" listed above"), then paying a penetration testing company to conduct a targeted attack is a waste of money. You're paying someone thousands of pounds to test controls you know you don't have in place. If you want to use the test results to plan your strategy, then there are better, free guides for doing this, referring again to the three resources mentioned earlier.
If you've only implemented basic cyber security controls and are considering paying a penetration testing company to conduct a sophisticated, targeted attack on your network, I'll save you the money. They get in.
For basic technology controls, the penetration tester can act as an independent third party check on either in-house or contracted IT resources. But there's more controls that can still be tested that aren't all based in technology.
Phishing testing has become one of the hot new 'must haves' of the last few years. However most phishing testing is simply checking employee's susceptibility to clicking links, or identify malicious attachments. Whilst there is value in doing this (when combined with suitable training and a no-blame culture of reporting) it's only testing one of many layers of controls.
Consider other scenarios where email can be used to facilitate fraud, such as theft of customer data or malicious financial transactions. Instead of just sending generic phishing emails, maybe instead conduct a test of your controls against a fraudulent payment being made against a fake invoice, or against a email pretending to be from a Director/CEO requesting an immediate transfer of funds. These sorts of tests will provide much greater assurance that you have appropriate security controls in place.
In summary, it's critically important that all firms consider their cyber security protections, but for a large number of small businesses the goal of having "enough" security is both easily achievable and affordable.
With an increasing number of businesses using the cloud and other third party hosted services, the types of threats firms must deal with are evolving and the strategies that must be taken to counter these will similarly shift over time.
This article is by Nic Miller of Aedile and first appeared on Linkedin