Inevitably there is an expectation that low-ish profile but widespread cyber-crime, ransomware (particularly the domestic kind targeting individuals by locking their devices until they pay by Bitcoin) and identity theft will continue to rise, along with a leveling out around advanced persistent threats. Then there is the almost certain probability that there will be some shock horror stories for some big names. However, one of the most significant recurring themes is the role and responsibility of the all too often overlooked and unaware SME.
IBM reports that well over half of all cyber-attacks are targeted specifically against SME's, yet they do not make the headlines in the same way TalkTalk or Tesco Bank have. To further stress the point, according to the National Cyber Security Alliance in the US, 60 percent of SMEs who are hit with a cyber-attack will go out of business in the following six months. So, isn't it high time security was placed higher up the agenda?
Kevin Smith is a senior payment services and risk management consultant and former senior VP, fraud management at Visa Europe. He believes that in the absence of real advice and guidance, many smaller merchants / SMEs will become increasingly at risk of:
- Missing the point on the importance of information security.
- Failing to understand the risks to their business, today and in the future.
- Not appreciating how those risks correlate to business impact, reputation damage, reduced profitability or business loss.
- Continuing to be misled by merchant acquirers, processors and solution providers on what to protect and how to get organisations "out of scope".
- Becoming increasingly confused on the respective roles and differences between Payment Card Industry Data Security Standards (PCI) compliance, versus Point to Point Encryption (P2PE) versus General Data Protection Regulation (GDPR), ie it is not just about payment data, but customer data.
- Paying unnecessary and excessive fees to industry stakeholders for protection against non-compliance and associated financial penalties.
- Falling foul of system breaches and data loss, not just card or other payment details but your customers' data.
“As criminals get more and more brazen, it is not a case of if you are attacked or breached, not even when it is going to happen, but how are you going to address an attack, a breach, a violation, that has already occurred, because you were not prepared.”
Smith argues that SMEs need to understand that their data is of value, and their systems are the potential entry point or stepping-stone to other organisations. They are very much of interest to cyber-thieves or malicious criminals. He adds:
“Organisations are missing the point on the importance of information security and not understanding the risks, and the catastrophic impact that they can have on the reputation and profitability of the business.”
The need for SMEs to focus on information security in the next 12 months is reinforced by Tim Watts OBE, who spent more than 36 years working for the UK Ministry of Defence, the British Army and the United Nations.
“For SMEs, for whom, in particular, information security cannot become a paralysing cost base, my advice is to keep rehearsing and sharing understanding, prevention activities and responses, remembering that computers are only part of the equation. Security is as much a human resources issue as it is a problem for the IT department. The General Data Protection Regulation (GDPR) will drive us to be more attentive to our information security practices, and we must attend to the basics and then tackle the more technical challenges. Our first job is to ask the obvious questions about our information . . . remembering who the children of assumption are.”
Andrew Taylor, spent 26 years with the British Army, firstly in the Grenadier Guards and then in the Intelligence Corps. Today he is the CEO of BeCyberSure, and is optimistic that with help in improving their ‘cyber hygiene', organisations will respond positively in their ability to manage the risks they are facing.
“We constantly hear of a global technical skills shortage. Much of this is fuelled by the tech industry who always have something new to sell and are determined to ratchet up the price by manufacturing skills famines. Much of the reason we supposedly need all this new and improved software, and the cyber-specialist skills that we are so short of, is because of our general basic cyber-hygiene.”
Taylor argues that how organisations and their employees interact with technology is generally poor, thereby constantly creating vulnerabilities for criminals to exploit. By following basic security measures (maintaining up-to-date AV software, firewall, VPN, patch management, strong passwords, etc) and using caution when online, organisations will make themselves a much harder target and, therefore, less likely to need the ‘cyber-doctor'.
“Ninety-five percent of smokers will become ill and many will die because of their habit. Yet most of that 95 percent will absolutely convince themselves that they will be one of the lucky five percent who don't. Our attitude to Infosecurity and cyber-security is very similar.”
Taylor makes the point that many SMEs convince themselves that they are too small, or are of no interest to cyber-criminals. However, with two in every three businesses being a victim of cyber-crime and related incidents each year, he argues that: “This laissez faire attitude can only be described as distinctly odd.” Just because an organisation is small does not mean that their information or systems are not attractive to cyber-criminals. At a minimum it's PCs and networks could be misused as the springboard to launch an attack on an SME's suppliers and customers.
Upcoming changes in the law are going to make the ‘cross your fingers and hope for the best' stance very dangerous, painful and for those who are determined recidivists, extraordinarily expensive in fines and criminal convictions.
So, what can SMEs do in the coming months to reduce the likelihood of being ‘attacked' and mitigate the impact if the worst does happen? Former head of security at The Bank of England and now chair of the London Chamber of Commerce Cyber-security Committee, Mike Britnell, advises SMEs to think CIA (Confidentiality, Integrity, and Availability).
“Every business must ensure that their critical, or sensitive information remains confidential, that it cannot be accessed by unauthorised individuals or tampered with, and it resides on the systems, storage devices and communications services of the providers least likely to fail.” He adds: “To put it another way, there is little point in holding or transmitting vital data on or across electronic systems if it can relatively easily be 'seen' by a tech-savvy villain, modified or corrupted for criminal gain, or made unavailable as a result of a third-party vulnerability or wide area system failure.”
The year ahead will be a defining one for organisations of all sizes. Threats will be greater in number and more sophisticated, meanwhile organisations will face stiff penalties for non-compliance with new regulation. Put simply 2017 must be a year of action.
As Tim Watts aptly concludes: “The only certain prediction in 2017 is a reduction in predictability!”
Contributed by Graham Thatcher, independent security consultant