Celebrating the people behind British small businesses

Making security integral to business strategy

By, Jonathan Martin, EMEA Operations Director at Anomali

Home to many of the most innovative ideas for new or improved services and products, small to medium sized businesses (SMBs), act as the backbone of the British economy. In 2016 they had a combined turnover of £1.8 trillion; 47% of all private sector turnover in the UK.

However, despite these impressive figures, many SMBs still fall down when it comes to cyber security. In part because many prioritise creating value around their core competency, rather than bolstering their cyber security. But with new EU general data protection regulations coming into action soon, it’s an area that SMBs can no longer afford to neglect. As highlighted by Towergate Insurance, 97% of SMBs have neglected to prioritise online security improvement for future business growth.

The Challenges of Cyber Security

Most businesses, regardless of size, are generally thought to have a firewall and anti-virus software. However, even with these programs in place, SMBs remain exposed. SMBs are predictably some of the most vulnerable to cyber attackers and arguably have the most to lose. If their intellectual property is stolen, such an attack could easily mean going out of business, especially if they are discovered to have been a launching pad for attacks against larger business partners. With this in mind, it seems foolish for SMBs to neglect security in this way. So, what is holding them back from enhancing their cyber security?

Limited dedicated staff

As you might expect, the first IT staff members hired by SMBs are not usually cyber security specialists, but those that ‘keep the lights on’. Their focus is on password lock-outs, configuring network services and solving problems with company laptops, not complicated security analytics. It is important to note that this security staffing challenge isn’t isolated to just SMBs. For the foreseeable future it will remain a prominent problem across all organisations. The demand for a cybersecurity workforce is only set to grow, with some predictions as high as 6 million (globally) by 2019, but with a projected shortfall of 1.5 million. While wages for top-notch cyber security analysts are also increasing at a rate of over 7% each year and unfortunately for SMBs, they are unlikely to be able to support this wage growth, meaning they will miss out on the best talent. They may therefore be required to hire and nurture junior talent, a process that itself comes with its own added challenges.

Supply chain vulnerability

Staying on top of your own organisations security and technology challenging enough, but tracking a third party “wildcard” is almost near-impossible, particularly for SMBs. Supply chain security, the vulnerabilities and the connections between businesses represent risks that major companies are focused on. Last year there were reports of several big US companies suffering major breaches due to security compromises in smaller businesses they had relationships with, demonstrating the potential damage of this growing problem.

The restrictive cost of cyber insurance

67% of small businesses are unaware of the availability of cyber insurance, according to security research firm Software Advice. In the UK the limit for data breach impact is only around 3 times that of the cover. For an SMB with a small policy this will likely not absorb the loss of intellectual property and the loss of customer records, only the cost of system restoration.

Risk monitoring

Challenges such as these are not easily solved. Although many SMBs are aware of the need to collect log data for later analysis by a consultant for legal compliance purposes, most simply don’t have threat intelligence data or security information and event management (SIEM) systems.

Additionally, staffing and insurance are always going to be affected by cost, something which is worth the budget but can’t always happen overnight. SMBs need to implement cost effective systems in order to help them protect their business, and their business relationships, before they can then begin tacking the larger cyber security problems.

Unfortunately for SMBs, they are the last to be considered by cyber security firms, who primarily focus their offerings to the Fortune 500 with the intention to shift down the market to SMBs much later in their product life-cycle, but sometimes not at all. Despite this, there are still a myriad of ways that SMBs can obtain security products and services that automate breach detection and discovery; giving them the value of security analysis and infrastructure without the huge upfront and ongoing costs. Threat intelligence reporting can be useful and numerous SMBs understand the value of collecting logs for network troubleshooting and regulatory compliance. Tools such as these allow SMBs to correlate this data they already have against a database of threat indicators on a weekly basis and some of these even operate on a “freemium” model.

Moreover, it can only serve as a comfort to other larger businesses in the supply chain that small businesses employ these security controls. Services such as the above will feature the ability to share a small business’s security posture as a proof point for other larger businesses in the supply chain. The hope is that once these services are utilised, they should allow any company to use security as a differentiator when competing to supply services or goods as part of a larger supply chain. Ultimately allowing them to focus on what they do best.