By James Henry, Consulting Practice Director, Auriga
Failure to realistically appraise the risks you face is a major issue in business. Without a solid understanding of risk, which forms the foundation of the security strategy, it becomes nigh impossible to appropriately apply security controls, leaving some element of the business under protected. It’s critically important to get this right, to be realistic, and to continue to revise the risk profile in the light of existing and emerging threats.
The problem is that many organisations are overestimating their current security posture and ability to withstand cyber threats. According to recent research from Juniper 74 percent of SMEs believe they are safe from cyber attack with 86 percent believing they have taken adequate precautions to counter such an attack.
The survey also revealed that 27 percent believed the size of the company itself would protect them from attack because cyber criminals would overlook them. Their perceptions run counter to the findings of other studies such as the Government Security Breaches Survey which found SME security breaches were on the rise with 74 percent reporting an incident in 2015. It’s this disconnect between perceived and actual risk which now poses the greatest threat to the SME sector and is skewing cyber spend.
Yet the SME has never been in a better position when it comes to being able to benefit from security solutions. The Cloud has provided many small businesses with the ability to apply data protection measures that would have been cost prohibitive inhouse. Managed security services have provided small businesses with access to qualified highly experienced practitioners who they can outsource their entire security operations with. And SaaS services have enabled these businesses to take giant technological steps and benefit from the same security solutions as those used by large corporates, such as the next-generation SOC.
When we look at the type of security protection measures in place, however, it quickly becomes clear that these SMEs are, at best, adopting a defensive rather than reactive security posture. For example, in terms of practical threat mitigation, the survey revealed that 27 percent of SMEs were conducting penetration testing while 31 percent were monitoring email for phishing attempts. Both are commendable but are not able to monitor or take a deep look beyond the organisation to look at emerging threats, for instance, making it very difficult to determine how risk may increase or decrease.
The difficulty now is for the SME to recognise the need to invest and how to do so. Another survey by Barclaycard found that one in five small businesses do not see cyber security as a priority. And I would agree with them. It’s the core business of that SME which is the priority; cyber security is an essential part of maintaining that core business but many business owners have neither the time nor the desire to devote to cyber security. But it is an essential. The cost of a cyber breach to the SME is now estimated to be between £75,000-£311,000 in lost revenue, business disruption, recovery and fines.
The answer lies in outsourcing. Managed cyber security makes sense for the SME. It provides access to reactive, responsive risk monitoring that can inform cyber spend within the business, avoiding a scattergun approach and reliance on point solutions, tailoring that provision to sector-specific threats. It dispenses with the need to manage and maintain cyber security inhouse and it frees up the business to concentrate on what it does best.
SMEs do need to become more aware of the threat to their business but they also need security to meet them half-way. They need a business-focused, not security centric, approach that can serve the SME by delivering business insights. Any outsourced offering needs to become an integral part of day-to-day operations. It’s only then that SMEs will have proper visibility of the threat and a realistic understanding of their security posture.