A ‘Must Do’ for SME’s

For many small businesses cost has become a barrier to good protection. It needn’t, says Bronzeye


Cyber crime is a top priority, says the government. The police barely scratch the surface of the problem, says the Commissioner of the City of London Police. Most cyber crimes we hear about involve banks. Perusing victim lists, you would be forgiven for thinking that this is an American disease. You would be wrong. We are equally vulnerable and suffer successful attacks just as frequently. We’re just better at hiding it. Cyber crimes that make the news invariably involve victims who have been negligent – giving a conman banking details he then uses to raid the bank account, for example. But where money goes walkies and financial companies can’t determine how, and that is quite a lot, they refund losses and keep very quiet about it usually under non-disclosure terms. There are also many who have been breached and had intellectual property stolen. Many will not know that this has happened and, for small to medium-sized enterprieses (SMEs), that lost data may ultimately be a cause of their demise – and they’ll probably never know.

The cyber security industry paints itself as super-heroes fighting off hackers. This is nonsense. It is a multi-billion dollar industry which relies on bad guys to stay lucrative, according to John Prisco, a man who has made it his mission to highlight its many failings. Much of the software doesn’t work anyway, and they know it, he says. Hyperbole? Probably not. Scale and deep pockets are the primary drivers for vendor engagement. They are much less interested in SMEs. They have herds of cash cow solutions to sell and they are going to sell them! The cumulative cost – hardware, software, licensing, people – quickly zooms out of reach of most small and medium-sized businesses. For any company, the consequences of being insecure, getting hacked and subsequently deemed negligent are horrendous. And it is easy to get there. Goofing PCI compliance, which is pretty easy, equals big trouble – into Kerplunk! territory for many. That’s a proper dichotomy for SMEs.Things are changing. New laws create liability and dictate responsibility. Most regulations are written with big companies – primarily banks – in mind. Unfortunately, a law for one is a law for all and compliance is a massive drain. It is meant to force enterprises to focus on their cyber security. For SMEs it quickly becomes a barrier. In response, many do nothing and hope for the best – “it hasn’t happened, so it’s not a problem”. That is becoming suicidal. When “it” does happen, it will be too late. If you are not ready, in a moment, “it” becomes an insurmountable problem and you are probably going out of business.

Three quarters of large breaches enter through third-party systems. Hackers know defences will be weaker here. Only about 15 per cent of larger businesses conduct meaningful checks on supply-chain cyber security.Criminals work on risk/reward. Cyber criminals are criminals. Good cyber security increases hackers’ risks and makes you less of a target – more attractive to customers and partners too. Every enterprise can improve cyber protection – surprisingly inexpensively. Soon it will be a prerequisite to have excellent cyber security. Regulators will bear down on larger companies who will simply pass the requirement on.No-one can guarantee any system or network is unbreachable but that doesn’t mean doom and gloom. An engaged management that has identified the threat can create strong cyber defences through judicious use of resources and sensible governance. Then, when an intruder gets in, “it” is identified and removed promptly. This can be achieved for a budget within reach of all.

Einstein said that insanity was doing the same thing over and over and expecting a different result. Let’s cut the insanity and change the way we think.

Andrew Taylor

CEO of Bronzeye IBRM

BronzeyeIBRM offers an affordable monthly subscription-based information and cyber security service to SMEs and others.