Introduction - Why a Security and Risk Blog for SMOs?
Why would anyone be interested in cyber security, especially in a small or medium-sized organisation? The reality is that no one is particularly interested in cyber security, no-one ever sets up an organisation and decides that they should now take an interest in cyber security - unless that is the business that the organisation is in. But that is not to say that they shouldn't be interested in it.
This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.
- The Changing Economic Landscape
- The Changing Business Landscape
- The Technology Life-line For Small Organisations
- Volume Of Threats To Small Organisations Increase
- Organised crime is more organised than in the past
- Tools for attack and tools for defence have not developed equally
- The knowledge gap of what one needs to know has grown wider
- Newer devices fuel and increase the attack surface of businesses
- Impacts to Small Organisations
- Taking advantage of the strengths and opportunities
- Dealing with the threats & weaknesses
- Governments are responding
- What this means for Small Organisations
- How we will try to help
Both of us have been in IT and cyber security for the best part of 30 years each, and I'm sure we have both been through times when we threw everything including our shoe at the computer, and then felt like having a drink in the park like the guy in the photo - well, maybe not throwing the shoe part. But, we both understand what good cyber security can do for organisations, as we have spent a lot of time to understand it, and make it understandable to non-technical people in all parts of small, medium and large organisations. What we aim to do, is to provide our SMO (Small and Medium-sized Organisations) community with enough of the right information to enable people to understand whether they need to consider taking some cyber security actions appropriate to their requirements according to the level of expertise they have.
We understand that most SMOs have very limited IT knowledge and expertise, let alone any security knowledge or staff. However, as organisations grow they develop this knowledge or expertise, for this reason we try to use as few technical terms as possible, but at the same time we provide a glossary of terms in the text through tooltips on our website. We understand that in the same way that many of today's adults can remember having to operate video players for their parents, because the technology seemed to be beyond them, many of today's technologies are infinitely more complex and manuals don't always come in the form of a printed document, but as something that is available online for support or as a pdf to download.
Part of today's reality is that as smart technologies have become so pervasive and difficult to ignore, things which were once manually operated, are now only controllable via a mobile or Wi-Fi, making cyber security difficult to ignore. With legislation related to payments, data protection, privacy and VAT payments, today's organisations cannot avoid using technologies for day-to-day operations. However, today's technologies are changing much faster than they ever have, designing and manufacturing new solutions is so much faster and online apps mean that there can be new software releases everyday.
To help SMOs cope with the cyber security implications of these fast moving technologies, in each episode we explore why the topic may be one that SMOs should consider understanding better and the consequences of what can happen if action should have been taken and wasn't. We try to present information in a way that doesn't create what we call in the industry "Fear, Uncertainty and Doubt" (otherwise known as FUD). Many of the articles we provide are the first in each series of articles, where the first one conveys the information about why the topic is of importance and the circumstance that action is required. If after reading the article the reader agrees that action is required, they can get access to further articles which provide much more information detailing what needs to be considered, as well as what the options are and how to approach taking action in the quickest way possible, yet still having considered all relevant information.
This first episode explores some of the reasons why right now is a one of the most important times for Small Organisation to start dealing with and responding to some of the pressing security issues they may have.
Since the start of the pandemic, many countries have experienced the biggest economic upheaval in over 75 years; since the last World War. This has affected all sized organisation – large organisations furloughed or laid off staff where they haven’t gone bankrupt, many Smaller Organisation have had to reduce or close down operations. This has also meant that in some cases people who were made redundant have set up their own Small Business to generate a new source of revenue, while at the same time other Small Organisations which were set up before the impact of the pandemic have been closing.
The lack of income has played into the hands of criminals - who have targeted their spam or phishing attacks at those most likely to respond because they are more desperate than they have ever been for extra sources of income. Equally, criminals have been attracting innocent people into activities which on the surface seem innocent, where they pay someone to manage money, but it is actually part of wider money laundering scheme.
"... lock-downs around the world have speedily ushered in the era of online collaboration, online ordering and online anything else."
The economic climate has also affected people's mental health making them possibly more likely to click through on things that are scams than they may otherwise have done, just to make ends meet for their families. This applies to people whether as individuals, working for a Small Organisation, or in their own Small Organisation. The fact is that whereas some of the very large corporates may have thrived during the pandemic, Small Organisation have lost out, or are still more likely to lose out and be negatively impacted than larger ones.
Criminals have been taking advantage of the economic landscape and responding quickly so as not to lose to competitors, the UK's National Cyber Security Centre (NCSC) published a report in the early part of the pandemic, as thousands of domain names linked to pandemic were being registered by criminals. This has continued and has not shown a slowdown in cyber criminal activity.
The global pandemic ushered in a new era of remote working, with many projects rushed from being months away to just days before implementation, so that people could work from home. The various lock-downs around the world have speedily ushered in the era of online collaboration, online ordering and online anything else.
Much of this has also forced Organisations to undertake activities that they may not have had before. They may now be competing with others who were already struggling with existing competition and lack of customers. Furthermore, all organisation are having to look at extending their reach by thinking digitally to achieve a greater global reach.
The bottom line is, that the Business landscape is changing and many are entering new territories that they haven’t had any knowledge or experience of previously. This includes the security and data protection issues of taking a business online through digital transformation.
Many Small Organisation have only survived the global pandemic by pivoting to doing business online, or massively increasing their online presence. Online tools which were normally the domain of larger organisations and enterprises are available to Small Organisations like never before. Some are even free, causing many established online solutions to add features to catch up.
Many cloud solutions already in use by Small Organisation may have been backup type services, but are now available for almost anything that can be undertaken online. One of the great benefits of these services is that they are available no matter where the Business is based or even where the employees are working from. Another key advantage for Small Organisations is that they are often far cheaper than other similar services that enterprises were paying lots of money for once upon a time.
Going online may be a life-line for many Small Organisation, but if not managed properly could result in loss of data, accounts, and consequently the Business itself before it even gets off the ground.
The Cyber Essentials Scheme - is mandatory for any business wanting to provide services to the UK Government. So, if you're a Small Business seeking a government contract, you must hold the Cyber Essentials Basic Certification to prove that you have at least the basic cyber security in place.
Technology tools and resources have come to the aid of many Small Organisations in new way, to do more for less, but many of these technologies have had bugs or vulnerabilities which are being used by criminals to exploit and attack the users of these technologies we explore later.
The volume of threats to Small Organisation has increased hugely. Whereas once it appeared that mainly larger enterprises were targets, now every Small Business is targeted in the same net; just like the banks, because that's effectively what Small Organisations are to criminals.
The interesting thing is that Small Organisation don't realise how much information there is about them and this makes them vulnerable to hackers; to resell their information, to access their accounts or for using their assets for a whole range of other uses.
Small Organisations, often incorrectly, tend to think "we haven't got much money and therefore we are not going to be a target." They don't realise that they have lots of things which are of value to attackers, whether it's computers and other technology, their contacts, their data etc. Indeed, in some cases they may not be the initial target. It may be that one of their own customers or clients is the real or intended target and that they, the Small Business, are just the stepping stone to get to the real target.
SMOs are open to extortion, fraud and theft, just like anyone else. Furthermore, attacks can sometimes be aimed at the individual owner or employees of the business rather than at the Business itself.
Organised criminals have become more sophisticated when it comes to cyber-crime. Hackers and related criminals have become more specialised than they were in the past. They collaborate with and sell services to each other.
Additionally, those involved in cyber-crime don't need the same level of technological expertise that was required ten years ago. Now they can simply buy everything as a service from an equivalent to "Amazon for criminals." All they need is some cryptocurrencies or a credit card (which could have been stolen) and they are good to go.
It's not just that these criminals are organised. It's that they're far more organised than most Small Businesses are in terms of protection from attacks.
Cyber criminals have so many tools available to them, while Small Business traditionally tend to think "we've got antivirus, we're fine," not realising that it's just one of many possible entry points into the business which makes it vulnerable.
Now, criminals are texting, emailing, using social media, automated messaging. Using these technologies is not just for legitimate organisations.
It's getting more difficult to protect yourself as a Small Organisation because even though you may have some protection tools, you can still be attacked in other ways. For example, we know that there have been some instances where even law enforcement agencies have been hit by ransomware.
Extortion from ransomware is a massive problem, especially where the Small Organisation doesn't have backup infrastructure to be up and running within a few hours/days after the ransomware attack. There's a good chance many cease operations after a ransomware attack and this is a real, serious concern.
The gap between what Businesses need to know and what they actually know has been growing. This is because the technology and the threats have been growing faster than the knowledge within Small Organisations. It's difficult to keep up with the marketplace for vendor solutions; buyers are presented with as many solutions as there are makes and models of cars.
How does a Small Business choose between hundreds of options, even when there are recognisable names they may not be the right fit? Often what is really needed seems to be aimed at large enterprises and unless you have '000's of staff to keep costs down it just seems prohibitively expensive for Smaller Organisations.
It wouldn't be so bad if the different tools we use ourselves and the different technology we have in our lives, were similar. Five to ten years ago we had far fewer devices connected into our work and home networks compared to today.
Each new device is a computer - a fact which is often forgotten because they are small and can fit into your pocket. In the modern world people can be carrying up to half a dozen computers in addition to the ones they know about those and secure or almost secure. The reality is that many of these new devices are often not secure and are vulnerable, this is partly due to the complex configuration of each device. When most people buy these devices they treat them like commodity items, for example like a DVD player, and we just expect them work. Security simply doesn't work that way with a computer.
Another development has been the invasion of a whole range of different devices into our homes - smart doorbells, smart locks, smoke alarms, the home hub, the smart fridge, the smart washing machine, smart TVs to name but a few. There are so many more devices connecting to our networks, all of which offer possible ways to access our work and home networks.
The term "smart device" just means it's a computer with an internet connection, that's all. Every smart device is adding another computer to your home network and that computer may be baldly programmed. To compound things, for years manufacturers have hard-coded default passwords which users cannot change. Criminals know this and can simply look them up in the instruction manuals! It's like having a door lock but leaving the key in for anyone to use. It's bad luck if criminal hackers come to your front door.
The simplest way to look at the impacts of technology changes is to use familiar terms we all know in business; Strengths, Weakness, Opportunities and Threats or SWOT. Where a Business is able to include relevant impacts of technology into their SWOT, they are more likely to be able to plan their responses to them more effectively.
Strengths that technology provides to Small Businesses:
- Provides greater reach anywhere in the world
- Enables employees to work anywhere in the world
- Enables 24/7 operations
- Enables monitoring of operations, where provider has undertaken all the thinking such services require.
Weaknesses technology opens Small Businesses to:
- Possible hidden costs - these may be one off, or ongoing
- Errors in configuration and deployment due to lack of expertise - leading to attacks on the network or system or device
- Maintaining updates to close vulnerabilities - where if updates are not maintained the business is open to trivial attacks
- Staff may be open to online or offline phishing attacks.
Opportunities open to Small Businesses through technology:
- Streamlining of complex workflows
- Utilise the some of the growing number of “Software as a Service” offerings available on the market
- Low costs and instant on, off, increase or decrease of services, as and when needed in the quantities and volumes needed.
Threats Small Businesses may be exposed to through technology:
- Data loss
- Ransomware attack
- Reputational damage
- Website attacks
- Payment Fraud & ID Theft.
It is important for Businesses to include cyber security impacts into their SWAT analysis and consider how they intend to deal with them at an early and high-level part of their business plan.
As per the business plan any Organisation would want to capitalise on the strengths and opportunities opened up by technology, whether it is in marketing, social media or web services, expanding these enable the Business to also understand the related threats and weaknesses which need to be considered.
The technology available today and going forward enables suppliers to be able to offer a mix of services where once they may have been offered by several different suppliers and at a high cost for each service. The changes that have taken place have been incredible, but unfortunately these same strengths and opportunities have also been available to the criminals.
Criminals are also able to hire servers and software for spamming and attacking by the hour, as well as purchase email address to send messages to, or passwords list on some of the criminal market places. It would be a mistake to think that the benefits of technology we have today have not also been available or accessible to criminal attackers.
The threats and weaknesses created by advances in technology are in many respects the opposite side of the strengths and opportunities coin. The big difference is that whereas the benefits available to Small Businesses through technology changes mean that they don’t have to have much technical ability, knowledge or experience, the threats and weaknesses do force some level of having to understand the cyber security threats in more detail than they would like.
The criminals are learning to use tools and developing their expertise in extracting money from Businesses, sometimes these maybe new techniques, or old techniques with a slight change, but either way, it all means that the businesses being attacked will now have a new word in their vocabulary whether it is spamming, phishing, ransomware, or anything else. Also, Small Businesses should never forget that the business of criminal attackers is to undertake activities which extract value from taking something from legitimate Businesses, and they will do what they can to extract that asset. For them to be as successful as a legitimate Small Business, they have to put in effort to make it a reality. Small Businesses on the other hand will be focused on delivering value to their customers, not on how they need to protect themselves from attackers. Therein is the challenge: attackers spend 70-80% of their time attacking, Small Businesses often spend 0-5% of their time defending.
The good thing is that there are many services available now which cover almost any aspect of cyber security Small Businesses can’t handle themselves. However, the first issue as with anything is recognising that something needs to be done.
While all these things have been going on, it's great that the UK government is among a few other counties around the world which recognise this. Recognising the impact on Small Businesses a few years ago they initiated the Cyber Essentials Scheme - which is mandatory for any Business which wants to do business with the government. So, if you're after a government contract, you have to have the Cyber Essentials Certification to prove that you have some security in place.
The scheme covers a lot of the basics, it's affordable (it starts at around £300 per year) and it needs to be renewed annually - it's not a do it once and forget about it. With a million plus small businesses in the UK there are many more targets for criminals.
Cyber Essentials Certification is covered in upcoming episodes. The point is that the government recognises this risk and has set a bar. It's quite low bar in many respects, but it's a bar nevertheless and it's a useful bar for many businesses because it's better than nothing. Getting the Certification means the Business can use the logo for promotion and gives peace of mind, while you build on from it. It's a starting point - not the be all and end all - just a good start.
For Small Businesses, cyber security is just another function which if they don’t know how to deal with has to be handled by someone else. In the same way that many Small Businesses will have accountants to deal with the yearly accounts and VAT, solicitors to deal with their legal issues, and marketing consultants to deal with their marketing, so too will they now need someone who deals with the cyber security function – if they are to grow big before they are attacked.
We hope through these Blogs to identify the level of Skills & Expertise, Services and the Apps and Tools that Small Businesses need to learn about. We want to help Small Businesses to continue their focus on generating revenue and pick up and add to their knowledge and skills as they grow to employing more staff with specialist knowledge, experience and skills.
We hope that you will ask questions, and discuss your thoughts, complete the poll questions, and share some of this with others you think may benefit. We will try and answer some of the questions and help stimulate discussion – but we won’t be able to answer all questions all of the time.
Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more.
Images from https://www.pixabay.com.