Why The Mid-Market Needs To Be Cyber Security Aware
For a moment let’s consider a notional Mid-market company that designs and manufactures a key component that goes into a globally popular piece of consumer electronics. The company is a successful and growing business with plans for expansion and a new site that will create over a thousand new jobs, and as the expansion plans are being executed, two members of the product R&D Team simply walk out of their job with no notification, not even an email resignation, and are never to be heard from, or seen again. These team members were not UK Nationals, and their user account permissions enabled regular and frequent access to sensitive company information, which included R&D data, assay reports, and component designs for the company’s next generation of products. This hypothetical situation typifies some common trends of many of the investigations and follow up improvement programmes that I have supported during my career so far.
“It won’t happen to us, and even if it did there’s nothing we could do about it.” “We’re not a target for hackers, our assets aren’t valuable enough.” “It would cost too much to properly protect ourselves.” Do these phrases sound familiar? The UK Mid-Market IS a target for hackers exactly because of attitudes like these. Reports in the press encourage us to think that only large enterprises are being hacked – that somehow, we are at less risk because there’s less to steal. Sony had 100 terabytes of data stolen and had to pay $8m for employee’s personal data loss. Talk Talk was also fined for data breaches. Threat Actors do not really care whether their target is a small or large enterprise, they also know that there are many ‘Mid-market’ businesses with very valuable assets.
In this article, I want to remind Mid-market Business Leaders that Cyber & Information Security Awareness is just as relevant to their businesses as it is to global enterprises, by taking a brief look at some of the ways that hackers can force entry into systems, we’ll take a closer look at what assets are of value to them and the risks and consequences to UK businesses. Finally, a few pointers to the areas we can address, with some low cost ‘quick wins. Firstly, however, let’s look at why the UK Mid-market is a target for cyber attacks.
Why Are UK Mid-Market Businesses Susceptible To Cyber Attacks?
Perpetrating the Sony hack took the thieves two months copying files. As we know from cost-benefit analysis, if every hack took that much effort there would have to be some major loot to make stealing it worthwhile. Hacking doesn’t need to be so difficult if the company is easy to break into. In comparison to large corporations that operate expansive IT enterprises, mid-market companies tend to have less stringent password management as well as a variety of User endpoints running various versions and operating systems full of bloatware and unnecessary applications, each with their own login. No wonder staff members have passwords written on a sticky under their drawer. Many companies are still running computers with out of date operating systems or missing the latest security patches.
There is undoubtedly a cost to protecting assets. Economy of scale means large enterprises can have dedicated staff responsible for maintaining their IT. In my experience it is common for growing companies to still be employing a single ‘Superhero’ ‘IT Person’, their responsibilities and working hours rapidly expand and overload as they struggle to cope with patching a multitude of equipment with varying build states and versions, addressing vulnerabilities, reviewing logs, audits and dealing with account admin, and security events. These are niche and distinct skill areas; it can take a lot of time to find good IT and security staff to manage all of these.
What Are The Risks & Consequences?
The largest risk to any business processing and storing personal data is data breach. With GDPR now in place and emails to end-users now largely in the waste bin, marketing teams are getting on with building and exploiting that personal data. The risk of a data breach is high if a hacker can break in by exploiting weak credential enforcement, gain access through an insecure public Wi-Fi, or steal a device such as a laptop, tablet or smartphone. The consequences of a data breach can be three-fold. Firstly, there can be a financial impact from penalties such as GDPR. Secondly, there will be an impact on the reputation and growth of the company – a loss of trust by customers and partners. Thirdly, an impact to the business due to time and capital losses expended in recovering the situation. In addition, the hacker may make ransom demands and deny access to the data.
Mid-Market Cyber Awareness
If your company holds proprietary information, such as material designs, recipes, R&D, assays, evaluation and product test and performance data, or other high-value assets, intellectual property theft is a risk. Where technologists travel to prospects and customers, this IP may be present on a mobile device, such as a laptop. A favoured method of access is breaking into the device when connected to public WiFi such as a hotel or hotspot. Travelling to specific countries can also be risky, industrial espionage is a very real threat, and the traditional tricks such as the ‘honey trap’ are still being used to great effect. What are the consequences of intellectual property theft? Making the IP visible to a competitor? Selling it to Companies on the other side of the world, making cheap replicas outside our jurisdiction? Do you really want to pay for the R&D costs of a far eastern competitor? Rigorous personnel vetting processes will reduce your risk. Staff who travel abroad should also receive security awareness training before they travel.
Hackers can send out very genuine-looking emails requesting payment for goods and services. Good business practice should prevent these from achieving a result, but on a busy day, an email from a known supplier about a known order can trick accounts staff. The consequence of a rogue funds transfer is not just the money itself. If it exposes a flaw in procurement processes, it could flag up in audits. Regular security awareness and training for your staff will reduce your risk.
The first step in assessing mid-market cyber security is to understand who is responsible, and for what. Executive accountability may state the CFO is responsible, as the consequence is a financial loss and the book value of the time lost. However, most of the actions will probably be on the IT department. User Credentials and password management is often a weak point. Education is essential for all staff about strong passwords, changing passwords and not using the same password everywhere, especially for sensitive systems. This will apply to third-party staff also if you allow them access to systems. Contractors, IT support and business partners may all have some level of access. There are good technical solutions to password management too. Single-sign-on means that staff don’t need to remember many passwords and should enforce password ageing and strength. Risk based Identity and Access Management solutions are also a good approach. Hackers break into computers by exploiting known vulnerabilities. Operating system vendors such as Microsoft and Apple issue regular security updates, protecting devices from being hacked. It’s vital that IT processes can roll out security updates in a timely manner. Legacy equipment that is no longer supported should also be sanitised, retired, and disposed of securely.
It’s not acceptable for an executive board and its business owners to under-rate the risk of mid-market cyber crime or breaching of Information Security. It’s as real a crime as the company being broken into and the risks are potentially far higher. The executive board must define and own its business cyber priorities.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.