When it comes to security, size doesn't matter
It's the same with the organisations targeted by criminals: just because a company is small and relatively unknown doesn't mean that it's safe from attack. SMEs are being targeted for attacks as part of a widening of the net for cybercriminals.
Why pick on me?
With the current trend in attacks focusing on targeted spear-phishing attacks and social media profiling to gain access to networks, criminals are focusing on organisations that have assets that are of specific value to them. The SME may be targeted as a stepping-stone from which to attack a partner company, on the basis of exploiting any weaknesses in a supply chain. A high-tech start-up, for example, might be developing intellectual property for a much larger partner, or a small financial PR company may hold draft information about a critical upcoming deal for a FTSE100 organisation.
This was the situation in the Global Payments card processor breach in 2012, which affected hundreds of thousands of Visa and MasterCard holders. The smaller company was holding valuable assets that may have been harder to obtain from the larger firms, which made it the target. Attackers are also gambling on smaller companies having fewer security controls and fewer layers of security.
Of course, this may not always be the case, but in general there is a correlation between a company's size and the time and resources it has available to focus on security and its management. Organisations typically use around 6% of their total IT spend on security - which means companies with smaller budgets need to allocate the security portion of that budget as wisely as they can.
The security shopping list
So what security should organisations look at investing in? In terms of protection, the same rules apply for SMEs as for any size of business: they need to decide which of their assets are business-critical, then put policies and solutions in place to protect those assets and mitigate risks to them.
Until recently, this would have demanded a disproportionately large investment from smaller businesses in security. However, two developments have enabled SMEs to protect their assets with enterprise-level security.
Firstly, the cloud model enables organisations to deploy security quickly, have that security managed for them (with solution and threat updates managed by the cloud security provider) and of course with little or no upfront capital outlay, and predictable monthly costs. What's more, advanced, integrated services can be delivered this way - from antivirus and firewalling through to web application and social media control. Fully-managed cloud services can remove a management headache for smaller firms.
The second option is made possible by the cost-of-entry for flexible, upgradable on-premise security appliances dropping dramatically. This enables comprehensive, integrated security capabilities that were previously the preserve of larger organisations (such as virtual private networking, intrusion prevention, anti-spam, application control, and URL filtering) to be accessible for hundreds, rather than thousands of rands. For many firms, this puts advanced security within much easier reach of that 6% of business IT spend mentioned earlier.
Education matters
To reiterate, the size of an organisation has no bearing on its security readiness. A key contributor to this is employees' awareness of IT security issues. In our 2013 security report, we found that 54% of nearly 900 organisations surveyed globally had at least one potential data loss incident as a result of emails being sent in error to an external recipient, or information being incorrectly posted online. We also found 52% of employees risk committing a breach in the workplace by engaging in unsafe computing practices.
It is these simple, human errors that attackers look to exploit: tricking an unsuspecting employee into clicking a link in a phishing email that will infect their PC, or inadvertently posting sensitive information to the wrong website. Unfortunately, we're all conditioned to trust others, and it's a difficult mind-set to change because employees want to be helpful, and want to feel they are doing their jobs effectively.
This is where employee education can play a key role in boosting security: making staff aware of the potential risks and threats, and how their behaviour can mitigate these risks by avoiding phishing emails, fake websites and more. And it's here that smaller businesses have an advantage: they have fewer employees to educate.
It's often these simple measures that can be the difference between a security incident and 'situation normal'.