[BreachExchange] The net is closing in: Why SMEs must take cyber security seriously – and how

[Audrey McNeil]

http://www.itproportal.com/features/the-net-is-closing-
in-why-smes-must-take-cyber-security-seriously-and-how/

Imagine this. You’re the Chief Information Officer for a well-known SME
with big ambitions. You have a small team of superb, highly qualified
network administrators who have built and manage networks and systems for
your staff and customers that are tighter than an eggshell around the yolk.
But you still get a security breach.  How did it happen? Maybe it was a
burglary – your premises are insecure. Or a trick – your staff are poorly
trained and fell for it. Could it have been an insider – a disgruntled
employee, a gleeful final act on their last day?

Was it caused by one of your suppliers – their own systems, staff and
standards are not as good as yours, and the process of supplier selection
and management did not iron out the wrinkles? Or perhaps it was simply
waiting to happen – your data handling standards, policies and processes
had blind spots.  This isn’t a comprehensive list, and it isn’t intended to
be. The purpose is to illustrate a key point: there are so many more
factors that influence IT “security” in a connected world than just the
“cyber” ones.

The likes of Sony (PlayStation), Experian/T-Mobile and, more recently
announced, Talk Talk and Yahoo, know from bitter experience that although
sometimes it is the tech that fails, cyber security is often breached by
non-technical, mundane means.

Seeing the bigger picture

The first task for an SME is to step back from the “cyber” and make sure
the organisation understands the full scope of the issue. If you don’t
fight the battle on all fronts, you’re particularly likely to lose on one
of the fronts that you neglect. The next challenge for SMEs is to find a
way of seeing the big picture. Almost all SMEs will need to look outside
their own organisation for advice and guidance.

Currently there is not a well-defined market of specialist advisers, and
this is partly because both “cyber” and “security” are multi-disciplinary
areas where the various experts are still in the process of “linking arms”
and seeing themselves as a distinct market. The areas of expertise include
IT security, information management, insurance, regulatory and legal. It
would be tempting (and all too easy) in the current market for SMEs to lock
onto just one of these areas of expertise to try and manage cyber security
risk. Input from a well-chosen specialist will always be worthwhile, but it
is unlikely to provide a fully rounded solution.

SMEs can play a crucial role by generating demand for a “one stop shop”
service. In the meantime, the solution is probably to carefully select a
small network of internal and external advisers and peers to help you paint
the big picture, and you get them either to work as a team or make
one-at-a-time contributions.  You probably won’t achieve a complete
inoculation. The end in view is more like a comprehensive healthcare plan
that sets out to achieve prevention, but swings into action to provide the
right measures at the right time if something gets through the defences.

Crucially, it needs to be a plan that supports stakeholders (such as data
subjects under data protection law) and satisfies them – and the
ever-stricter regulators – that the SME is focused on minimising the risks
for data subjects, not the SME.

Pooling resources

Why have experts not fully “linked arms” for SMEs before now? There is
probably a combination of factors at work.  Some questions immediately come
to light if an SME suffers a cyber security breach. Is the breach
recognised for what it is – a violation of law with a victim who suffers
loss (of privacy, information, IP, competitive advantage or money)?

Do the victims detect the breach or have any way of checking or knowing,
unless they’re told? Do regulators or law enforcers detect the breach if
they are not notified? Did a large percentage of UK SMEs receive
enforcement action last year? The answer to each of these questions is no,
and the result is that cyber security risk still feels like it’s contingent
risk. It gets rationalised: there are higher priorities for this year’s
budgets; these are risks that normally crystallise on somebody else; the
majority of customers don’t complain; the off-shore parent company doesn’t
understand the risk – the list goes on. The net, however, is closing in.

Under new EU data protection laws, self-reporting of data security breaches
will be mandatory (currently, the official position is that it is
voluntary, although in practice there are a number of factors to consider
and in many circumstances self-reporting is a good plan).  The UK
Information Commissioner would like UK law to align with the EU, even after
Brexit. Also, in a pincer movement, users and regulators are starting to
find the links between undetected or unreported SME cyber breaches and “bad
stuff happening to ordinary people”. The net result is that ignoring cyber
security risk and breaches is increasingly not an option. The major risk
resulting from a security breach has always been damage to reputation and
goodwill.

Except for industries where security is key (banking, for instance) the
risk can often be contained with a well-managed and swift response to
breaches. The headline-grabbing risk is regulatory penalties, currently up
to £500,000 in the UK but shortly to rise to a maximum of 4% of global
turnover or €20 million (£17 million) under EU law from May 2018.

In practice the real cost at the moment is in management time spent picking
up the pieces. Compensation claims by data subjects are rare in the UK but
could be a stalking tiger as the law develops and consumers become more
aware of data and security risks. Under the new EU laws, which the UK may
well align with, contractors will have direct legal duties and liabilities
to data subjects for the first time.

Innovation through regulation

Looking to the medium-term future, with regulators currently looking
closely at RegTech, I do wonder if the IT and data equivalents of road
traffic cameras and speed cameras is far away. It sounds far-fetched until
you consider that SMEs in some sectors already have that kind of monitoring
in place. Insurers, for example, have for a long time had systems that can
determine whether staff should have consulted the electronic records that
they accessed during the working day, and successfully catch staff “having
a look” at records without cause.

Under current UK law “having a look” is a criminal offence, and constitutes
a cyber-security breach. Do your staff know that, and do your systems
monitor and enforce the red line effectively? Do your SME’s systems have
this kind of monitoring lawfully built into them? If you want a server to
stay up night and day, you will naturally put in place monitoring of its
vital signs, plus failover provision. In many sectors and organisations,
however, there may not yet be buy-in for effective monitoring on non-IT
cyber security risks.

As SMEs get a stronger grip on the sector-specific requirements for
effective cyber security, like insurers, they will develop specific
monitoring measures (plus structured procedures and reporting that must
swing into action when a line is crossed), while also dealing
constructively not punitively with human error.

Cyber education

As an IT and data lawyer I sit in just one of the relevant pools of
expertise referred to above. I suspect that a well-rounded and effective
set of cyber security measures is within the grasp of most SMEs, and at a
sensible budget. One of the single most effective things you can do is
provide effective and regular training for staff, supported by updated and
fleshed-out policies that set clear standards and boundaries. The aim is to
build cyber security awareness into the culture of the SME.

A spotlight on cyber security doesn’t work. We want floodlights: 200 pairs
of well-trained eyes. This requires some planning, because some of the
popular training packages out there are generic and ineffective. Deploying
practical, sector-specific and role-specific training for the SME’s staff
can go a long way. I also think there may be an increasing role for
insurance as SMEs and their insurers get to grips with the risk.

Like customer experience, user experience and information management, cyber
security is one of those rare IT-rooted areas of practice that provide a
clear opportunity for IT professionals to provide strategic leadership at
the highest level within the SME, reaching well outside the boundaries of
the conventional IT function. There’s every reason for you to grab the bull
by the horns.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161014/3d1350cc/attachment.html>