The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security breach.  For the small business this could result in costs of around £1400, for the medium business, considerably more.  One has just been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins.  And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a back up regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

So what does he mean?

As he’s not here to ask I suggest that he’s saying that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are in order to ensure that your solution to those risks, vulnerabilities and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

What is the risk? How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Etc etc etc.  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take. Failure to do that will almost certainly be damaging to your business, perhaps fatally so. 

Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding.  What is an information asset?  Note the word ‘information’ rather than IT.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  I could go on.

The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team.  That needs to be understood fully by those at the top.  That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate in order to achieve your business aims.   You need to ensure that supporting policies are produced, implemented, understood by employees and regularly reviewed and updated.  At H2 we tend to produce an information security and data protection handbook which can run into many pages.  Producing these policies is not as easy as it sounds.

You may also wish to look at some recognised standards by which you can regulate your risk management.  One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way.  Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

Sadly that’s not the end.  User education is probably the most important element of all for an SME.  Ensuring that your staff are aware of the policies and why they exist.  Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks.  Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

There’s a lot being said in various quarters about the Internet of Things (IOT) but whenever it comes up in conversation with senior people in the SME world, even those businesses that are definitely in the Medium bracket, with 25m upwards turnover,  it raises a titter or two.

Why would that be?  All the usual light hearted comments about being hacked by your kettle, or held to ransom by your toaster, come out in the conversation.  And I suppose, there can be some amusement to be had.   But there is a serious side to this.   The graphic below, which I have unashamedly stolen from The Joy of Tech, whilst lighthearted, gives clues to potential disasters.

Whilst we are some way away from having smart appliances in most SME work places that could be used jump onto the more serious elements of a network, we are already at a place where some functions, perceived as routine, even mundane, can already be used to jump onto other network devices.  For instance, most have security cameras and alarm systems.  Many of these are IP based and are connected via the LAN.  OK, but many also are remotely maintained by a variety of suppliers.  I have found it not uncommon for these suppliers to arrange for their own backdoor into the system to maintain these systems, often without the client actually knowing how that is done.  This provides a very neat circuit around the router and firewall and, when most SME networks are flat, access onward to all parts of the network.

This of course is not the only example but it shows how poor security architecture, often times by local network providers, can have a quite seriously detrimental effect.  So what I am saying is that as many more devices become ‘smart’ and interconnected via the LAN, security architecture becomes just as important for the SME as it does for the larger enterprise.  The problem is that the awareness and support within the SME community and their suppliers, tends to be lacking.