Managing Security Risk as a SME
The InfoSec Consulting Series #19
By Jay Pope
It’s by no means the case that large organisations are the only ones at risk of cyber-attack. Increasingly, mid-market and smaller companies are being targeted too, precisely because they often have fewer resources to protect their systems. With the GDPR legislation giving regulators the power to levy significant fines on companies that fail to take good care of their data, businesses of all sizes need to take their cyber security seriously. The effects of a breach could be devastating not just in terms of fines but in damage to the reputation of the company.
SME’s are subject to many of the same types of attack as any other organisation. These include phishing to try to steal credentials and gain access to systems; ransomware to extort money; and, increasingly, coin miners that steal processing time to mine cryptocurrencies. Big companies are becoming better at protecting their data, although they can still be caught out, as evidenced by the British Airways breach. But greater levels of security at large organisations make less well protected medium-sized businesses a more tempting target for cyber criminals. A recent analysis and trends report by the National Center for the Middle Market in the US suggests that while many mid-sized businesses are keen to talk up the importance of cyber security, many of them have out of date strategies and a significant percentage don’t have cyber risk insurance to protect them against the effects of a breach.
Plan for The Worst
So, what can a SME do to protect themselves and ensure they have the right security in place that they don’t get caught out? The first step is to understand what information they hold and why, where and how they do so. This means conducting an audit of systems so that the business can understand its legal and compliance obligations. It’s also a good opportunity to identify any data that doesn’t need to be kept and streamline the operation to reduce the risk surface by getting rid of it.
It’s also important that staff are made aware of the risks. Human beings are the weakest link in any organisation’s security, so they must be alert not just to phishing attacks but also to the dangers of shadow systems, unauthorised hardware or of losing flash drives or laptops. It’s worth reviewing access levels to ensure that staff have enough access to do their jobs but aren’t needlessly being given too much. Use of administrator accounts should be kept to a minimum. It’s also important that information security awareness applies across all levels of the business. Managers and executives are just as at risk – in fact maybe more so as sophisticated ‘spear phishing’ attacks often target these groups – and must be included in security training initiatives. Contractors and temps are a potential area of risk too. According to the Ponemon Institute, almost half of breaches can be traced back to negligent staff or third-party contractors.
Without a large team to handle the process, it can be tempting for a SME to apply a one-size approach to cyber security. However, certain types of data including personal, customer and payment information or intellectual property are of greater value to hackers, so guarding these should be the priority in setting the cyber security policy. It’s increasingly accepted that no business is immune from cyber-attacks and it’s a matter of when rather than if you will suffer one. Making sure that your most precious data assets are properly protected is therefore vital. Cyber attackers often probe systems to find the weakest point before launching an attack. So, while protecting the perimeter is important, it’s also key to ensure that the ability to move around within the company network is controlled too.
To a SME a security breach can be devastating and may even threaten the existence of the business. It’s therefore important to have a plan in place to deal with a breach quickly, should one occur. More and more businesses of all sizes are now looking to insure against cyber threats too. While this is no substitute for proper protection, it can ensure that if you are unlucky enough to suffer a data breach, the effects are not as devastating.
In summary then, a SME needs to be aware of the security risks they face. They need to identify the information they hold and which parts of it are most at risk. They need to be aware of their legal and regulatory obligations. They need to ensure that their staff understand, and are trained to recognise, the risks. It’s crucial to protect the most sensitive data, and finally, it’s essential to have a plan in place to cope with a breach and contain its effects.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.