vol 8, issue 6

Cyber security - small firms now in the firing line

17 June 2013
By James Hayes and Aasha Bodhani
Share |
A shop assistant with a gun sight graphic targeting him

Cyber attackers have SMEs increasingly in their sights

Two men in despair and shock as they look at a computer screen

SMEs may be surprised to find that data assets on their IT systems hold value for cyber thieves

Small businesses need to upgrade their awareness of - and abilities in - cyber security if they are to avoid becoming the 'soft underbelly' of the UK's fights against hackers and cyber threats.

Media Reports about IT security breaches resulting in data loss and other compromises to corporate data integrity usually only make headline news when big name brands are hit. Resultant concerns about reputational damage have spurred many medium-to-large enterprises (MLEs) into reviewing their cyber-security strategies and redoubling their efforts to ensure that their ICT is properly protected - or at least as protected as possible within the context of their risk assessments and IT budgets. Because of their size a lot of the damage can over time be 'managed'.

For small-to-medium enterprises (SMEs), meanwhile, to assume that the scale of threat and risk are of a radically different magnitude, or to think that hackers, cyber-criminals and other malevolent online agents are only interested in going after larger players, is a mistake. Recent market evidence indicates that SMEs are being increasingly targeted by online threats, both because they are perceived as being innately more vulnerable, and because new cyber criminals entering the online fray are keener to find the opportunities afforded by these 'soft' targets.

"Too often SMEs plan their IT security under the misconception that their networks and data are already pretty safe because they don't have anything that would interest cyber attackers," says Corey Nachreiner, director of security strategy at WatchGuard.

Disproportionate riches

The 'Black Hat' intelligentsia are wise to the fact that start-up SMEs often have data assets of a value disproportionate to their company size on their systems. A high-tech start-up, for example, might have leading-edge intellectual property being developed as the basis of a relationship with a much larger development partner, or even a small third-party provider of specialist marketing services could have access to customer record databases for a sales campaign.

Elsewhere on the SME scale there are established businesses such as second-tier retailer chains that find themselves having to process sets of transactional data from credit and debit card payments, but are acutely financially constrained in respect of protecting that data.

These additional pressures come at a time when SMEs are being urged to play a greater part in UK economic recovery through renewed grassroots growth and entrepreneurship, plus partnerships with established market leaders, and use of initiatives such as the government's G -Cloud programme to ensure that SMEs can now be included in public sector procurement.

Such opportunities can be very exciting, but also very daunting. For an SME with limited IT management resources the escalating levels of cyber-security management can prove exhausting. "Is cyber security management becoming a generally more complex requirement? Yes, it is, for organisations of all sizes," says Bob Tarzey, director at market analyst Quocirca. "You need not just point security - like anti-virus and firewalls - but context-aware security to make sense of targeted attacks."

It is this opening up that is also putting SMEs more in the sights of the cyber-criminals and other nefarious online actors. Tarzey adds that SMEs are too often the 'soft underbelly' of cross- organisational business processes.

Most vertical sectors have now been singled-out for hack attacks, from fast-food point-of-sale terminals to the online gaming community. More obvious targets are financial services and retail. IT solutions company Verizon Enterprise exposed a breakdown of industries victimised by network intrusions in its report '2013 Data Breach Investigations'. It revealed that 37 per cent of breaches affected financial organisations, 24 per cent of breaches occurred in retail and restaurant environments, 20 per cent of intrusions involved manufacturing, transportation and utilities and 20 per cent of breaches hit information and professional services firms. However, the latest trends have seen manufacturing, health, and intellectual property verticals become more targeted.

Types of attack

There are two main classes of attack: automated opportunistic attacks, where a wide net is cast using mass emails or automated network attacks where everyone is the target; and those that specifically target a single organisation or group of organisations, such as a group of companies in the same vertical sector. These usually consist of 'spear-phishing' emails to lure victims to a malware site.

"SMEs have been victims of the first type of attack for years - whether they know it or not," WatchGuard's Corey Nachreiner adds. "Bot herders use automated techniques to try to 'zombify' as many Internet connected victims as possible and often end up infecting hundreds of small businesses this way. They then use these bot-infected SME machines as a stepping stone to gain control of the network and its sensitive, valuable, data."

Where MLEs and SMEs have business relationships, cyber criminals know that there is a chance that smaller partners could be a weak link in a series of business arrangements and information exchanges that might stretch across several different entities, says Ryan Rubin, MD of risk and regulation management firm Protiviti. "They can come by this intelligence through a variety of means - some of it deliberately placed into the public domain, such as a standard press release, say. A small manufacturer wins a contract to supply components to a large electronics manufacturer: it's natural to want to let the market at large know that it's been successful." Cyber criminals are also looking for those kinds of announcements such as website banner swaps, which they can use as 'leads' for future targeted attacks.

According to the 2013 Information Security Breaches Survey, sponsored by the UK Department of Business, Innovation and Skills (BIS), launched at Infosecurity Europe 2013, 87 per cent of respondents across all sectors experienced at least one breach in the previous year - an increase of more than 10'per cent on the 2012 survey. Furthermore, the cost to SMEs so affected could be equal to 6 per cent of their turnover, the survey says. For one operating on the narrowest of margins even such a comparatively low-level incursion could result in business closure.

There have been several attempts at estimating the overall annual financial impact of cybercrime on the UK economy as a whole. A 2011 Cabinet Office report reckons around '27bn; others, such as the 2012 Norton Cybercrime Report set the costs much lower ('1.8bn). The Federation of Small Businesses claims the costs to its members is '785m - that's around '4,000 per victim; but there is still ambiguity in the fine detail, and the headline figures do not always discriminate between different impact vectors, i.e. whether the losses are due to stolen or devalued assets, lost productivity, and/or reputational damage. Whatever figure you favour, it is having a destabilising effect on national finances.

Although the BIS survey suggests that the situation might be remediated to an extent for SMEs by more investment in technological solutions, establishing cyber security skills is of equal importance says Nachreiner: "IT security products are becoming more commoditised than they used to be, which is good insofar as there are more security products going into end-user organisations," he says. "However, some of these complex products require quite a fair degree of expertise to set up, are not being configured as well as they should be because IT staff do not possess the right skills or understanding of the product's capabilities."

Availability of IT skills has long been an issue for all European markets that rely on ICT for commercial stability and expansion, and a lack of information security-specific skills is an even more acute problem when cyber-crime is undermining already weakened national economies. Experienced and knowledgeable security practitioners tend to pursue career opportunities with large end-user organisations, or inside the security solutions industry itself, where the rewards are high, rather than take a position with an SME.The end result of this significant lack of information security skills among the UK's IT workforce is hampering the fight against cyber criminals, according to the IET Cyber Security Skills Survey released in May 2013.

"SMEs sometimes do not realise that getting cyber security right isn't just about protecting themselves, it's about taking responsibility for protecting a supply chain which they might be a part of," explains IET cyber security expert Hugh Boyes. "A small manufacturer of automotive components, say, might be supplying a part of a car. If as a result of getting hacked some fraudster gains access to their part blueprints or inside knowledge of their distribution channels, they could easily start introducing sub-standard or defective counterfeit parts onto the global market that cause massive problems if they do end-up installed in production vehicles."

The mobile threat

The onset of the mobile enterprise, where out-and-about workforces are using portable computing devices as their primary productivity tools, is an important change to IT strategy evolution, and one that is posing challenges for organisations of all sizes. For SMEs, the mobile model might appear as something of a saviour, creating the possibility of new ventures where the staff are equipped with portable devices like netbooks, tablet PCs, and/or smartphones. Connecting these via 3G/4G mobile networks, or private/public Wi-Fi to company resources stored in a managed cloud service, looks to be an attractive IT provisioning model: it brings down capital expenditure; but there are untested risks. At least when your data is sitting on owned servers there is less chance of losing access to it should your cloud provider go down.

At the same time adopting a mobile model does not mean that traditional security challenges are left behind, says Protiviti's Ryan Rubin. Indeed, in some respect mobile is proving less secure - and just as complex - as the old static model.

Partly the new complexity is arising from the extended connectivity. As enterprise mobility is transforming the way we work, it transforms how enterprise security must be practiced. Users operating outside of the premises security perimeter brings flexibility compared with older IT models, but it can also provide extra opportunities for cyber attacks. Mobility models are not necessarily the issue, adds Richard Wilding, cyber security director at BAE Systems Detica, "Users may now use multiple mobile devices for work purposes - sometimes across public networks where security is beyond the IT department's control".

Large enterprises - and a lot of medium-sized ones - are accustomed to the routine of product refresh cycles, where hardware and software is upgraded after a specified period - typically three to five years. Although in some instances this cycle is being extended, few enterprises are looking at running 10-year-old PCs for critical applications, or hanging back with outdated versions of operating systems because of worries about the expenditure involved in an upgrade.

With SMEs such as a small retail distributor, say, where cashflow is everything in a market where income and outgoings are misaligned, mustering the necessary capital to expend on new IT equipment is a decision that's easily put off.

Therefore it seems sensible for some SMEs to sweat their assets for as long as possible, so long as the technology is performing the critical applications within reasonable margins of acceptability. Again, they will be unaware that cyber criminals are specifically targeting attacks to exploit last-generation security hardware and software.

"Criminals have their own copies of business-application software which they pull apart to find weaknesses in," Protiviti's Ryan Rubin points out. "SMEs often don't realise that what was secure five years ago may have been made vulnerable by new tools that cyber criminals have at their disposal."

The same lesson applies to how often SMEs review their security policies and procedures, warns Detica's Richard Wilding: "It's not just the front-line products that should be refreshed. The underlying mechanisms also have to be re-appraised - both technological and operational."

Another area where SMEs are prone to laying themselves open to infiltration is their propensity to use social media for corporate activities such as recruitment. Faced with the prospect of paying recruiters fees or advertisement costs, SMEs might first try to hire staff through social media websites, thus creating an opportunity for targeted cyber attackers to elicit information that could inform a phishing attack on other staff.

The cyber security profession has now become multi-faceted to the point where practitioners have to possess an updated understanding of core applications, multiple operating systems, and communications protocols, and not just of anti-virus software, firewalls, and webserver protection. On this point SMEs and MLEs face the same challenges. One deciding factor could be that of basic recognition: the IET's Cyber Security Skills Survey of 250 SMEs found that while the risks of online threats such as hack attacks and malware are gaining more recognition, they are only a 'high priority' to a minority of the organisations polled. There is also a need to raise both awareness of, and the protection of, software that may be embedded in their own products.

Only 14 per cent felt that cyber security threats were the highest priority, and already believed that they had sufficient skills and resources in place to manage the threat; and only 30 per cent of all respondents said that they had "sufficient protection against potential threats" to the software embedded in their products.

"Increasing threats to ICT systems and new vulnerabilities emerge daily," says the IET's Hugh Boyes. "The issue with SMEs is that they may believe that they have to reach a certain size before they become a target and need to recruit a specialist for any given IT role. With cyber security they really cannot afford to delay - SMEs are increasingly going to be a target of choice for those trying to compromise larger organisations."

The IET survey also found that only 50 per cent of respondent SMEs were aware of the UK Government's Cyber Security Strategy, the primary objective of which is to make the UK 'one of the most secure places in the world to do business in cyberspace'. It is through such schemes that SMEs can become aware of government support packages designed to help. The Technology Strategy Board, for example, has extended its Innovation Vouchers scheme to allow SMEs to bid for up to '5,000 (from a '500,000 fund) to improve their cyber security with the support of third-party expertise. And interviewees to the NAO's 2013 cross- government 'Cyber-Security Strategy Landscape Review' also backed the notion that larger businesses could provide help and guidance to SMEs, especially where a commercial relationship already exists.

Further information

Share |

Cyber defence competences deficit: Addressing security skills gap 'more daunting than industry realises'

"Wholly inadequate": the words former UK security minister Baroness Pauline Neville-Jones used to describe the cyber security skills available to UK businesses to counter the growing range of cyber threats. Lecturing at the Global Strategy Forum in February 2012, Neville-Jones criticised the degrees of security awareness within the UK commercial sector, and she called for better educational resources to prepare students for a career in information security.

The Baroness's warnings are timely. Cyber-crime has reached a new level of sophistication and intelligence to which the UK is failing to respond to due to a shortfall in cyber-skills. Analyst Frost & Sullivan however, estimated the number of information security professionals worldwide in 2010 was approximately 2.28 million, and this figure is expected to increase to 4.24 million by 2015, according to its '2011 (ISC)2 Global Information Security Workforce Study'. Though there is a significant rise, the National Audit Office (NAO) say there is still a definite IT skills gap which will take 20 years to close and leave the UK 'risk-free'.

Unchallenged, hackers have the ability to control or bring-down ICT systems belonging to public and private sectors, organisations and individuals. Their strategies are not random: high value sectors are frequently targeted alongside more random strikes. Newly refined attacks have meant industries such as the automotive, manufacturing and health have now become victims to cyber-crime too.

From an international perspective, James Lyne, director of technology strategy at security firm Sophos claims that the UK is lagging behind. "When you compare the rate at which talent is generated in the UK compared to the US and China you can see we should be concerned," he warns. "IT and related services are growing to be a supporting pillar of our economy and without the right talent this is not just a matter of security risk, but a fundamental inhibitor of growth of the UK."

Further concern stems from the fact that the technology market is rapidly transforming with innovations like mobile working and contactless payment systems adding to the range of potential attack 'vectors'. As a result the NAO has revealed the cost of cybercrime in the UK is reportedly estimated to be between £18bn and £27bn a year, with smaller businesses still playing catch-up, including many SMEs.

According to analyst Frost & Sullivan's '2013 (ISC)2 Global Information Security Workforce Study', 56 per cent of chief information security officers said the lack of equipped staff is the top concern, with hacktivism at 43 per cent and cyber-terrorism at 44 per cent. "If you look at the threat of cyber today, it's a market that is relatively new," says Jason Steer, product manager at threat protection firm FireEye, "and as a result there are many skilled IT specialists but their skills don't fit this next generation of security architecture."

Steer warns the lack of skilled workers could hamper businesses reputations: "Companies need to be more realistic and not think 'if we become a target', but 'when we become a target' and 'what we can do to be ahead of the problem and not part of the media headlines', because this instantly impacts shareholder value and customer attitudes." Squeezed IT budgets in a constrained economy mean that many companies struggle to train-up existing IT staff to become more security-savvy. Worries about that fact that once security-trained IT staff will be more likely to move to another employer is another inhibitor.

IT recruitment firm Modis International surveyed 250 senior IT experts from UK businesses, and its 'IT Market Report 2011' revealed 36 per cent of companies are struggling to implement IT strategies due to concerns over staff capabilities and the on-going budget restrictions are again hampering their ability to address the skills shortfall.

Cyber ethics is another issue contributing to the shortfall of cyber-skills; businesses still have to build a relationship of trust. "Experience, ethics and background are all issues," says Kurt Hagerman, director of information security at cloud hosting company FireHost. "Companies, of course need people with the right skillset, but they also need techies who they can trust and reply upon to hold themselves to high ethical standards."

According to Hagermann, some IT cyber-specialists with the requisite skills "have come from the hacking side, and so companies need to be comfortable that they can be trusted".

If the lack of cyber-security skills is not addressed soon Hagerman believes that SME's will feel the impact, this is typically the case as these businesses are perceived for their lack of security awareness and implementation of IT security technology. In the Department for Business Innovation & Skills '2013 Information Security Breaches Survey' found 87 per cent of small businesses across all sectors experienced a breach in the last year.

FireEye's Jason Steer adds: "Smaller organisations who cannot compete in terms of salary and benefits will suffer, as companies who are seen as prestigious will continue to attract the best talent." Though jumping from graduate level to a junior position is challenging: "When you review the majority of information security job specifications you will note one thing in common across the mass of different specialisms and roles - they all require demonstrable experience in security roles," declares James Lyne at Sophos. "How do aspirant cyber security personnel gain experience if they can't get jobs in the first place?"

Lyne also believes tackling the shortfall of cyber-skills should start much earlier and throughout the curriculum. "As an industry, government, and nation we need to do a better job of explaining that these jobs are interesting, rewarding and critically available."

Related forum discussions
  Topic Replies  
forum comment Website security: often overlooked, surprising consequences 2 Reply

Latest Issue

E&T cover image 1408

"What the Scottish independence referenda could mean for engineers and engineering on both sides of the border"

E&T jobs

E&T Marketplace

The essential source of engineering products and suppliers.

E&T podcast

Tune into our latest podcast

iTunes logo

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T