With a combined turnover of £1.8 trillion in the UK last year, small to medium sized businesses (SMBs) act as the backbone of the British economy. They make up 99.9% of all private sector businesses and are home to many of the most innovative ideas for new or improved services and products.
What is unfortunate however is the fact that many SMBs, despite being at the forefront of innovation, are still falling down when it comes to cyber security, in part because many prioritise creating value around their core competency, rather than bolstering their cyber security. As highlighted by Towergate Insurance, 97% of SMBs have neglected to prioritise online security improvement for future business growth. However, with new EU general data protection regulations coming into action soon, being negligent in this way is no longer an option SMBs can afford.
The challenge behind cyber security
Regardless of size, most businesses will have a firewall and an anti-virus program in place. Even with this, SMBs are unsurprisingly some of the most vulnerable to cyber attackers. For them, it could easily mean going out of business if their intellectual property is stolen or if they are discovered to have been a launching pad for attacks against a larger business partner.
SMBs face several challenges when looking to enhance their cyber security:
• A lack of dedicated cyber security staff
Naturally, the first key IT hires made by SMBs are not security specialists but those that “keep the lights on,” deal with password lock-outs and provision and configure network services and company laptops. The security staffing challenge isn’t isolated to just SMBs. For the foreseeable future it will remain a prominent problem across all organisations. Michael Brown, CEO at Symantec states, “the demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million.” Wages for top-notch cyber security analysts are increasing at a rate of over 7% each year. Realistically, SMBs will not be able to support this wage growth, meaning they will miss out on the best talent. Alternatively they will have to nurture junior talent, a process that itself comes with its own added challenges.
• The cost of cyber insurance
67% of small businesses are unaware of the availability of cyber insurance. In the UK the limit for data breach impact is only around 3 times that of the cover, for an SMB with a small policy this will likely not cover the loss of intellectual property and the loss of customer records only the cost of system restoration.
• The vulnerability of supply chain security
Staying on top of just your own organisations security and technology is challenging enough. But tracking a third party “wildcard”, from a security perspective, is almost near-impossible, particularly for SMBs. Supply chain security, the vulnerabilities and the connections between businesses represent risks that major companies are focused on. This is a growing problem, last year there were reports of several big US companies suffering major breaches due to security compromises in smaller businesses they had relationships with.
Challenges such as these are not easy to tackle. Many SMBs are aware of the need to collect log data for later analysis by a consultant for legal compliance purposes, however most simply don’t have threat intelligence data or security information and event management (SIEM) systems.
Additionally, cost will always be the prominent factor when it comes to staffing and insurance, something which is worth the budget but can’t always happen overnight. To begin tackling the bigger cyber security problems SMBs need to seek out cost effective systems which will allow them to protect their business – and by extension – their business relationships.
The unfortunate thing for SMBs is that a lot of cyber security companies primarily target their offerings to the Fortune 500, with the intention to shift down the market to SMBs much later in their product life-cycle – sometimes not at all. Despite this, there are still a myriad of ways that SMBs can focus on obtaining security products and services, that automate breach detection and discovery, whilst also gives them the value of security analysis and infrastructure without the huge upfront and ongoing costs, such as threat intelligence reporting. Numerous SMBs understand the value of collecting logs for network and application troubleshooting and for regulatory compliance. Tools such as these allow SMBs to correlate this data they already have against a database of threat indicators on a weekly basis and some of these even operate on a “freemium” model.
Moreover, it can only serve as a comfort to other larger businesses in the supply chain that small businesses employ these security controls. The service will feature the ability to share a small business’s security posture as a proof point for other larger businesses in the supply chain. Services such as these are gaps in the market that, once filled, should allow any company to use security as a differentiator when competing to supply services or goods as part of a larger supply chain, allowing them to focus on what they do best.
By, Mark Seward, VP Security Solutions, Anomali