Why 2020 could be a bad cybersecurity year for SME’s

SME’s are a prime target for cybercrime.

They have reduced expertise, minimal money, and an attitude, we are too small to be a target, that leaves them wide open to a cyber event.

Our industry, the people who know and think we understand the bad guys have been pushing for an attitude change for the last 10 years. In a large number of ways, we have failed, especially in the SME space.

In some, we have failed significantly.

By the time we get called in, after a cyber event, it is way too late.

To late to recover, too late to respond and definitely too late, in a number of organisations, to get back to business as normal.

Most SMEs, after a cyber event and especially after a ransomware attack, have but 3 choices,

  • pay the ransom,
  • recover from backup and hope you have a decent backup (a decent, tested backup is vital, no matter the situation)
  • or go out of business.

Here are 3 cybersecurity strategies that every SME should implement to be more secure and avoid that devastating cyber event.

Training users

Increased awareness of business security in a workplace is vital in today’s business world.

Not many businesses know where to go to get that training.

Training needs to be done as an ongoing process.

Once or twice a year is inadequate. But training and education has to be easy, bite-size pieces, easily digested, easily implemented and easily followed.

In addition to ongoing training, you also need to incorporate business security into your onboarding process to instill the required cultural elements into new people on staff.

Want some free cybersecurity training, here is something that will definitely help
https://wizer-training.com/partner/caremit

Risk management and gap analysis

SME’s have a limited understanding of the new risks delivered to the business via our digital components.

The game has changed significantly in the last 10 years and we, as small and medium businesses, are constantly playing catch-up.

We are significantly hampered and handicapped by the impact and scale of our digital usage.

It is everywhere, used in every component and used all of the time.

To understand the risks without understanding the systems you need some help.

Here is some help for you.
Https://CareMIT.scoreapp.com

With the report, you can now implement a gap analysis and work out what you need to do to increase security around your organisation.

The report also ties in well with:

Implemented a framework

If you are looking for a better way to manage security within your Organisation, you need to look no further than a framework.

A framework is a documented system that allows an organisation to follow the bouncing ball and tighten up the security in a regimented way.

The more the components of the framework are implemented the more secure and mature the organisation.

Frameworks are easy to follow and implement and the one I recommend is the National Institute of Standards and Technology (NIST) cybersecurity framework.
https://www.nist.gov/cyberframework

Answer the 98 questions, honestly, and you now have a road map to implement cybersecurity in a significant way.

The NIST cybersecurity framework also gives you a number.

Between 0 – 4, it can be used as a comparison between businesses, supply chain components, and government departments so you can do business with like-minded organisations.

What can SME’s do?

It is not too late to implement any of these strategies. The bad guys are getting more and more clever, so time is running out.

They are targeting everyone who is connected to the digital world, the internet, with more sophisticated systems, a number of them are now fully automated.

Some of those automated systems have minimal human involvement after the initial set up.

From initial social engineering attack, all the way through to payment of ransom everything is automated and driven by machine learning.

Every SME should be implementing a training and education process, doing a risk and gap analysis and implementing a cybersecurity and business security framework.

With that everything else will follow.

The business will be more stable, the culture of the organisation will change and getting back to business as normal after an attack can be significantly easier.

The impact of a cyber event for an organisation implementing these 3 components or not is significant.

If you haven’t implemented these 3 strategies in the last 12 months, 2 years or 5 years then 2020 is going to be a bad year.

But it’s not too late.

How do we manage the risk of digital in todays business world?

10 years ago, cyber was not thought of as a risk to the business.   It was just a way to do business that was faster and less expensive.

5 years ago we started to think, in very rudimentary terms, that cyber was a small risk but we knew nothing about it so we will pass it to the ICT department for them to manage.

We did this because the perception of digital risk was purely associated with the ICT of the organisation.

Since 2014 and the Target hack, C level execs, boardroom members, owners, and managers, realized that digital risk was bigger than they expected and the departments that they had relied on to secure their organisations were not, in fact, doing the job to the expected level.

Definitely not their fault, there were a couple of reasons for this, the first being that they relied on people who were more focused on keeping the lights on, making the technology work, than securing the environments.

The other was whenever they, the ICT department / managed service provider tried to secure the business environment, and they would have done regularly, they were fighting culture, fiscal and attitude issues that just made it too hard to make the business environment safe.

In this environment most ICT departments / managed service providers resorted to a number of basic strategies.   Let’s get a decent firewall, let’s get a decent AV and let’s make sure that updates are applied.   This is close to 10% of the requirements to secure an organisation.

Digital and cyber risks are now the number one or two risk factors on management minds in today’s business world.

They still do not know how to manage it.

The hardest part is visualization.   How do those risks manifest themselves within the organisation?

No matter the size, the number of people you employ or the amount of money/revenue you make, digital risk can bring your organisation down in some cases literally overnight.   In fact, at the speed of Cyber!

Business management still thinks that ICT departments and managed service companies are the answer.

They are not!

Business security is a whole of business issue with a mantra that cybersecurity is everyone’s problem.   You need a team that crosses all of the lines of communication, from management to coal face.

You need people who understand the bad guys and can attack your system with the same capabilities and vigorous intention, but without the damage.

They need to approach the problem with the same intensity as the bad guys so that vulnerabilities can be exposed and removed, exploit can be counteracted and restricting a breach by monitoring the attack surface.

This will, in the end, make your environment more secure and stable.

You need someone with the right methodology, an understanding that technology is only part of the solution, and the ability to approach the huge problem in a manageable way.

It is only manageable when you address the areas apart from technology.

The Insider Threat

We have all heard about how the insider can wreak havoc on your business. Yet, business owners and other staff don’t understand how much actual damage they can do.

From a Business Security perspective we’ve definitely experienced people in the workplace who:

  • are self-important
  • always in a hurry
  • not focused on the business at hand.

These Insiders can also have a detrimental impact on business security.

Here are 7 types of Insider Threats who make the insider threat real to any organisation.

1. Convenience seekers – bypass protocol, too hard, too busy

We have all seen them in business.   They jump here and there and start a huge number of jobs but never finish them, or finish them haphazardly.

They are more interested in their own work, not in keeping the company safe. Passwords, Updates and scans are usually bypassed. When something goes wrong, it is never their fault. Clicking on an email link without using commonsense is a primary example.

They are the first to complain about the time it takes IT support to remove a virus. By bypassing the organisation’s Cybersecurity, they put the whole organisation in danger.

Solution – get them to slow down, their job is no more important than anyone else’s.

2. The accidental victim – makes mistakes, doesn’t think

These are the people who are too timid at work. They fear making mistakes, but, by fearing reprisals and keeping quiet, they are the victim. The company suffers as well.

The accidental victim is either an older employee, or a new starter. They are very noticeable in not for profit organisations.

Solution – Provide education and training in the use of computers. Explain what’s expected in their role within the organisation.

3. They know everything – oversharing

This person is very good at big-noting themselves. They use their knowledge of the organisation to place themselves in avoidable situations. They overshare critical and confidential information in email. They don’t think about the consequences of sharing on social media and also in meetings.

Solution – separation of information,  restrict access to the information within the organisation.

4. Untouchables – it will not happen to me

We get these type of people in all types of business.  They are the second cousin to number 1.  I am not a target of cybercrime, it will never happen to me because I have nothing worth stealing.

With technology changes over the years, a bored 14 year old can be the attacker. Access to the internet is their tool. Every internet user or business is a target. Anyone can be attacked and everyone needs to take the necessary precautions.

.Solution – providing education and training.

 5. Entitled ones – access to everything because they ‘want to know’

The Entitled employee is one of the most dangerous non-malicious insider. Their laptops or tablets have the organisations secrets and use free wifi in cafes. They have no business reason to keep all that critical information, but they have to have it.

This means that there is a greater risk of the company information either stolen or attacked.

Solution – need to know.  Stop allowing access to data by staff who don’t need it. Segregate it into public, commercial in confidence and critical.   If someone does not need the information then deny access to it.

6. Traitors – malicious insiders

Previous to this one, the insiders have been the result of stupid behaviors. The Malicious Insider is a malicious person. Their focus is on them. For whatever reason, they might intend to leave, have a grudge against the company or an employee. They won’t hesitate to go to your competition with all your corporate data.

Solution – at the first whiff of someone leaving walk them out the door. Don’t keep a bad apple in the basket. 

7. The secret insiders – the bad guys, in the first stages of an attack

These are the true bad guys, the ones you should be protecting your organisation against.  They may have infiltrated your organisation via one of the other insiders, and are now able to do damage. They could have become an insider through social media, email or web based attack. The secret insider isn’t an employee. They are not answering to your policies and procedures. They will damage your organisation, because you don’t have protections.

Solution – increase awareness, do a penetration test and review the report, then do it all again. Regularly.

These Insider Threats are the ones we have come across.   Some can be a combination of one, two or three traits.  The best way to protect yourself from the insider is to pay attention to your staff and your management.

The best way to find out what your organisation needs to do to be safe is to:

1. Use the CareMIT Digital Diagnostic Tool

2. Come to one of our regular quarterly “Security Board Meetings