securitySecurity annus horribilis is a bad omen for SMEs

Durgan Cooper, Director of Information Security, CETSAT

In the security space, 2015 was an annus horribilis where the delicate power balance between cyber-criminal and security professionals shifted in favour of the black hats. Ashley Maddison, The White House, VTech, T-Mobile and TalkTalk all suffered major public embarrassment and financial misfortune following high profile attacks. The trend shows no sign of abating in 2016. In January a denial-of-service (DoS) attack brought the internet banking services of global bank HSBC to its knees.

If these giants with their sophisticated IT infrastructure and phalanx of IT professionals can be brought down so ruthlessly and with such apparent ease, it begs a more worrying question – what is the prognosis for the UK’s 5.2 million SMEs? The statistics from the latest Government Security Breaches Survey published this week paint a grim picture. In the last 12 months 74% of small organisations reported a security breach, an increase on 2013 and 2014.

The lack of a coherent security strategy and fit-for-purpose IT infrastructure represent a significant vulnerability for a large portion of this country’s SMEs. A Dell Security survey conducted last summer revealed a measly 3 per cent of SMEs are adequately prepared for a cyber-attack. That’s a worrying figure for the 99 per cent of Britons they employ, and the national economy they fuel.

Firewalls in particular represent a major IT weakness for SMEs. It is worrying how many businesses are still relying on firewalls that are more than five years old. Constant, aggressive, well-funded innovation in the dark underworld of malicious attacks means a firewall that is more than eighteen months old is powerless against all but the most basic piece of malware. In short, an out-dated firewall is the IT equivalent of a chocolate teapot.

As is often the case with SMEs, it all comes back to cash flow. As director of information security in a managed services company, I spend a large chunk of my time on-site advising owners and managers of SMEs on their IT set-up. 99 percent of the individuals I encounter are smart, savvy and recognise that cyber security is a threat to their business.  But for all of them, the cost of upgrading their IT system is too cost prohibitive.

You don’t need me to tell you that half of new businesses fail to survive beyond five years, with cash flow one of the biggest contributing factors. The life of the SME owner and manager is a non-stop fusillade of decisions – big and small – that will ultimately add up to success or failure. In that context, rejecting significant cash spend on cyber security protection in favour of a new marketing campaign, senior hire or customer event is a difficult judgement call.

However a ‘third way’ is emerging that will help cost-conscious small businesses to defend themselves against cybercrime, without denting their cash flow. That third way is Managed Cyber Security Services.

Returning to an earlier example,  rather than spending £1,000 on a new firewall, imagine you could effectively ‘rent’ that critical piece of hardware from a distributor at a fixed, affordable monthly fee. After 12 to 18 months, the supplier replaces the ‘old’ hardware with a brand, new version with up-to-date software. The fixed monthly fee represents a small, operating expense, vigilantly protecting you without damaging your cash flow.

By embracing the model, SMEs also enjoy more traditional outsourcing benefits; robust product and threat knowledge, more competitive rates and compliance with government and industry-defined regulation. Common cyber security managed services include firewall, AV, email, encryption, authentication, secure mobile access and SSL certificate management ‘as a service’, as well as an onsite risk audit and staff training.

As the lessons of the past twelve months show, security breaches are frighteningly common, can strike at any time and typically result in damaging customer churn and financial losses. Where a T-Mobile or TalkTalk can draw on vast financial reserves while they regroup, SMEs often aren’t so lucky. Managed Cyber Security Services can help SMEs walk the tightrope between managing cash flow and protecting their assets from cybercriminals.