Small businesses need to upgrade their awareness of - and abilities in - cyber security if they are to avoid becoming the 'soft underbelly' of the UK's fights against hackers and cyber threats.
Media Reports about IT security breaches resulting in data loss and other compromises to corporate data integrity usually only make headline news when big name brands are hit. Resultant concerns about reputational damage have spurred many medium-to-large enterprises (MLEs) into reviewing their cyber-security strategies and redoubling their efforts to ensure that their ICT is properly protected - or at least as protected as possible within the context of their risk assessments and IT budgets. Because of their size a lot of the damage can over time be 'managed'.
For small-to-medium enterprises (SMEs), meanwhile, to assume that the scale of threat and risk are of a radically different magnitude, or to think that hackers, cyber-criminals and other malevolent online agents are only interested in going after larger players, is a mistake. Recent market evidence indicates that SMEs are being increasingly targeted by online threats, both because they are perceived as being innately more vulnerable, and because new cyber criminals entering the online fray are keener to find the opportunities afforded by these 'soft' targets.
"Too often SMEs plan their IT security under the misconception that their networks and data are already pretty safe because they don't have anything that would interest cyber attackers," says Corey Nachreiner, director of security strategy at WatchGuard.
The 'Black Hat' intelligentsia are wise to the fact that start-up SMEs often have data assets of a value disproportionate to their company size on their systems. A high-tech start-up, for example, might have leading-edge intellectual property being developed as the basis of a relationship with a much larger development partner, or even a small third-party provider of specialist marketing services could have access to customer record databases for a sales campaign.
Elsewhere on the SME scale there are established businesses such as second-tier retailer chains that find themselves having to process sets of transactional data from credit and debit card payments, but are acutely financially constrained in respect of protecting that data.
These additional pressures come at a time when SMEs are being urged to play a greater part in UK economic recovery through renewed grassroots growth and entrepreneurship, plus partnerships with established market leaders, and use of initiatives such as the government's G -Cloud programme to ensure that SMEs can now be included in public sector procurement.
Such opportunities can be very exciting, but also very daunting. For an SME with limited IT management resources the escalating levels of cyber-security management can prove exhausting. "Is cyber security management becoming a generally more complex requirement? Yes, it is, for organisations of all sizes," says Bob Tarzey, director at market analyst Quocirca. "You need not just point security - like anti-virus and firewalls - but context-aware security to make sense of targeted attacks."
It is this opening up that is also putting SMEs more in the sights of the cyber-criminals and other nefarious online actors. Tarzey adds that SMEs are too often the 'soft underbelly' of cross- organisational business processes.
Most vertical sectors have now been singled-out for hack attacks, from fast-food point-of-sale terminals to the online gaming community. More obvious targets are financial services and retail. IT solutions company Verizon Enterprise exposed a breakdown of industries victimised by network intrusions in its report '2013 Data Breach Investigations'. It revealed that 37 per cent of breaches affected financial organisations, 24 per cent of breaches occurred in retail and restaurant environments, 20 per cent of intrusions involved manufacturing, transportation and utilities and 20 per cent of breaches hit information and professional services firms. However, the latest trends have seen manufacturing, health, and intellectual property verticals become more targeted.
Types of attack
There are two main classes of attack: automated opportunistic attacks, where a wide net is cast using mass emails or automated network attacks where everyone is the target; and those that specifically target a single organisation or group of organisations, such as a group of companies in the same vertical sector. These usually consist of 'spear-phishing' emails to lure victims to a malware site.
"SMEs have been victims of the first type of attack for years - whether they know it or not," WatchGuard's Corey Nachreiner adds. "Bot herders use automated techniques to try to 'zombify' as many Internet connected victims as possible and often end up infecting hundreds of small businesses this way. They then use these bot-infected SME machines as a stepping stone to gain control of the network and its sensitive, valuable, data."
Where MLEs and SMEs have business relationships, cyber criminals know that there is a chance that smaller partners could be a weak link in a series of business arrangements and information exchanges that might stretch across several different entities, says Ryan Rubin, MD of risk and regulation management firm Protiviti. "They can come by this intelligence through a variety of means - some of it deliberately placed into the public domain, such as a standard press release, say. A small manufacturer wins a contract to supply components to a large electronics manufacturer: it's natural to want to let the market at large know that it's been successful." Cyber criminals are also looking for those kinds of announcements such as website banner swaps, which they can use as 'leads' for future targeted attacks.
According to the 2013 Information Security Breaches Survey, sponsored by the UK Department of Business, Innovation and Skills (BIS), launched at Infosecurity Europe 2013, 87 per cent of respondents across all sectors experienced at least one breach in the previous year - an increase of more than 10'per cent on the 2012 survey. Furthermore, the cost to SMEs so affected could be equal to 6 per cent of their turnover, the survey says. For one operating on the narrowest of margins even such a comparatively low-level incursion could result in business closure.
There have been several attempts at estimating the overall annual financial impact of cybercrime on the UK economy as a whole. A 2011 Cabinet Office report reckons around '27bn; others, such as the 2012 Norton Cybercrime Report set the costs much lower ('1.8bn). The Federation of Small Businesses claims the costs to its members is '785m - that's around '4,000 per victim; but there is still ambiguity in the fine detail, and the headline figures do not always discriminate between different impact vectors, i.e. whether the losses are due to stolen or devalued assets, lost productivity, and/or reputational damage. Whatever figure you favour, it is having a destabilising effect on national finances.
Although the BIS survey suggests that the situation might be remediated to an extent for SMEs by more investment in technological solutions, establishing cyber security skills is of equal importance says Nachreiner: "IT security products are becoming more commoditised than they used to be, which is good insofar as there are more security products going into end-user organisations," he says. "However, some of these complex products require quite a fair degree of expertise to set up, are not being configured as well as they should be because IT staff do not possess the right skills or understanding of the product's capabilities."
Availability of IT skills has long been an issue for all European markets that rely on ICT for commercial stability and expansion, and a lack of information security-specific skills is an even more acute problem when cyber-crime is undermining already weakened national economies. Experienced and knowledgeable security practitioners tend to pursue career opportunities with large end-user organisations, or inside the security solutions industry itself, where the rewards are high, rather than take a position with an SME.The end result of this significant lack of information security skills among the UK's IT workforce is hampering the fight against cyber criminals, according to the IET Cyber Security Skills Survey released in May 2013.
"SMEs sometimes do not realise that getting cyber security right isn't just about protecting themselves, it's about taking responsibility for protecting a supply chain which they might be a part of," explains IET cyber security expert Hugh Boyes. "A small manufacturer of automotive components, say, might be supplying a part of a car. If as a result of getting hacked some fraudster gains access to their part blueprints or inside knowledge of their distribution channels, they could easily start introducing sub-standard or defective counterfeit parts onto the global market that cause massive problems if they do end-up installed in production vehicles."
The mobile threat
The onset of the mobile enterprise, where out-and-about workforces are using portable computing devices as their primary productivity tools, is an important change to IT strategy evolution, and one that is posing challenges for organisations of all sizes. For SMEs, the mobile model might appear as something of a saviour, creating the possibility of new ventures where the staff are equipped with portable devices like netbooks, tablet PCs, and/or smartphones. Connecting these via 3G/4G mobile networks, or private/public Wi-Fi to company resources stored in a managed cloud service, looks to be an attractive IT provisioning model: it brings down capital expenditure; but there are untested risks. At least when your data is sitting on owned servers there is less chance of losing access to it should your cloud provider go down.
At the same time adopting a mobile model does not mean that traditional security challenges are left behind, says Protiviti's Ryan Rubin. Indeed, in some respect mobile is proving less secure - and just as complex - as the old static model.
Partly the new complexity is arising from the extended connectivity. As enterprise mobility is transforming the way we work, it transforms how enterprise security must be practiced. Users operating outside of the premises security perimeter brings flexibility compared with older IT models, but it can also provide extra opportunities for cyber attacks. Mobility models are not necessarily the issue, adds Richard Wilding, cyber security director at BAE Systems Detica, "Users may now use multiple mobile devices for work purposes - sometimes across public networks where security is beyond the IT department's control".
Large enterprises - and a lot of medium-sized ones - are accustomed to the routine of product refresh cycles, where hardware and software is upgraded after a specified period - typically three to five years. Although in some instances this cycle is being extended, few enterprises are looking at running 10-year-old PCs for critical applications, or hanging back with outdated versions of operating systems because of worries about the expenditure involved in an upgrade.
With SMEs such as a small retail distributor, say, where cashflow is everything in a market where income and outgoings are misaligned, mustering the necessary capital to expend on new IT equipment is a decision that's easily put off.
Therefore it seems sensible for some SMEs to sweat their assets for as long as possible, so long as the technology is performing the critical applications within reasonable margins of acceptability. Again, they will be unaware that cyber criminals are specifically targeting attacks to exploit last-generation security hardware and software.
"Criminals have their own copies of business-application software which they pull apart to find weaknesses in," Protiviti's Ryan Rubin points out. "SMEs often don't realise that what was secure five years ago may have been made vulnerable by new tools that cyber criminals have at their disposal."
The same lesson applies to how often SMEs review their security policies and procedures, warns Detica's Richard Wilding: "It's not just the front-line products that should be refreshed. The underlying mechanisms also have to be re-appraised - both technological and operational."
Another area where SMEs are prone to laying themselves open to infiltration is their propensity to use social media for corporate activities such as recruitment. Faced with the prospect of paying recruiters fees or advertisement costs, SMEs might first try to hire staff through social media websites, thus creating an opportunity for targeted cyber attackers to elicit information that could inform a phishing attack on other staff.
The cyber security profession has now become multi-faceted to the point where practitioners have to possess an updated understanding of core applications, multiple operating systems, and communications protocols, and not just of anti-virus software, firewalls, and webserver protection. On this point SMEs and MLEs face the same challenges. One deciding factor could be that of basic recognition: the IET's Cyber Security Skills Survey of 250 SMEs found that while the risks of online threats such as hack attacks and malware are gaining more recognition, they are only a 'high priority' to a minority of the organisations polled. There is also a need to raise both awareness of, and the protection of, software that may be embedded in their own products.
Only 14 per cent felt that cyber security threats were the highest priority, and already believed that they had sufficient skills and resources in place to manage the threat; and only 30 per cent of all respondents said that they had "sufficient protection against potential threats" to the software embedded in their products.
"Increasing threats to ICT systems and new vulnerabilities emerge daily," says the IET's Hugh Boyes. "The issue with SMEs is that they may believe that they have to reach a certain size before they become a target and need to recruit a specialist for any given IT role. With cyber security they really cannot afford to delay - SMEs are increasingly going to be a target of choice for those trying to compromise larger organisations."
The IET survey also found that only 50 per cent of respondent SMEs were aware of the UK Government's Cyber Security Strategy, the primary objective of which is to make the UK 'one of the most secure places in the world to do business in cyberspace'. It is through such schemes that SMEs can become aware of government support packages designed to help. The Technology Strategy Board, for example, has extended its Innovation Vouchers scheme to allow SMEs to bid for up to '5,000 (from a '500,000 fund) to improve their cyber security with the support of third-party expertise. And interviewees to the NAO's 2013 cross- government 'Cyber-Security Strategy Landscape Review' also backed the notion that larger businesses could provide help and guidance to SMEs, especially where a commercial relationship already exists.