Size Doesn’t Matter: Cyber Security and the SME


The research, which forms part of NJR’s cyber security report: how real is the threat and how can you reduce your risk, shows that 23 per cent of employees use the same password for different work applications and 17 per cent write down their passwords, 16 per cent work while connected to public wifi networks and 15 per cent access social media sites on their work PCs. Such bad habits and a lack of awareness about security mean that employees are inadvertently leaving companies’ cyber doors wide open to attack.

This research is supported by a report which incorporates the advice from fifteen experts in the field. Here Tarun Samtani, Findel plc, shares his thoughts on how SMEs are affected by cybercrime.

“With 63 per cent of UK SME online retailers planning to increase the number of channels they traded through in 2015 to grow sales and one in four e-retailers intending to start using online marketplaces to increase sales, small companies are increasingly opening themselves up to the cyber threat.

Most organisations have layers of defence mechanisms to protect them but the malicious actors still manage to get through to the data they are after. SMEs are most commonly targeted by the adversaries due to the lack of resources, knowledge and experience. One of the most common misconceptions I hear is ‘we are a very small fish to be attacked and so carry less risk’. My response to this has always been ‘size doesn’t matter’ when you are in an online cyber sea. If you are a business utilising modern technologies, then you have information to protect, irrespective of the size of the business, you are a target all the time.”

Tarun Samtani considers the areas that SMEs are weakest when it comes to maturing in cyber security:

a) Information governance Even today, many organisations are finding it difficult to do the basics like governing the data that lives in the organisation. One of the most important challenges faced by the CIO is to understand where the information is and who has access to it. It may sound a very simple task but it can be daunting and that is why some organisations ignore it, so you may want to lean upon some experts if you do not have the resources to help you with mapping this out. Once the crown jewels have been identified, the next step is to understand and map the different paths an adversary could take to get to them. This is called Attack Path mapping. Once the paths are validated, it’s all about tying them to risk levels that will drive priorities, bringing us nicely to the next topic of risk management.

b) Enterprise Risk Management Cyber and information security risk management needs to be part of the enterprise risk management framework as a separate entity not under IT risk. Having it under IT dilutes the attention of those cyber risks and may not give enough clarity to the senior executives.

c) Cyber security Awareness Most organisations do have awareness programmes that are mainly for compliance purposes. Recently the trend is changing and the organisations are realising that most cyber-attacks these days are in some way caused by human error. To reduce the risk of cyber threats, the human OS needs to be patched in such a way that staff not only understand their responsibility for security but also take an active role in improving the cyber security of the organisation by using best safe practices. A key to the awareness programme is that it must target groups from top to bottom relative to the risk. Many groups are at higher risk because of the amount of sensitive data they have access to. For example, the system administrators hold the keys to the kingdom but are mostly paid less attention when it comes to awareness training because they are very technical staff. This is most commonly an issue with the awareness programmes.

d) Enterprise Architecture It is crucial for a business to have a single entity/function that sits across the business to oversee all the different projects in the organisation and aligns them to the business strategy. This entity is Enterprise Architecture function. It could be an individual or a team but it’s very important for someone who understands how the business operates, suggests changes to improve processes, IT, Security and plays a key role in translating requirements from the senior executives into various down streams like IT, Projects and security. Many organisations small and large have various departments that work in silos and usually forget how their role fits in the overall strategy of the organisation. This can be easily fixed by having an architecture framework not only for the security arena but for the complete enterprise. In the long run, it will save the organisation a lot by having fewer tactical solutions coming out of each department and more requirements covered by the implemented solutions giving better ROI and security.

It’s not difficult to fix any of these areas within a short space of time, depending on the size of the organisation. Look internally for skills that you can use or externally if you need to create new roles. In the short term, you may want to call upon the experts in the particular area to get you from where you are and where you need to be on the security maturity curve to prevent the cyber security breaches of today.”