Its great being an SME, and working with SMEs. In my business, many of our clients deliberately chose us as their IT Partner because we are agile, responsive, have the closeness and intimacy to know their business from the ground up and have a personal relationship with them: business owner to business owner. This means we can react, grow with them, understand their needs and take really good care of them.
By comparison, a complaint often leveled at big business is that change is slow and getting anything done has to go through so many layers, committees, approvals that its impossible to respond quickly.
We are happy to be an SME, to be flexible, agile and responsive. Thats great! But: the very agility that is so desirable can mean weaknesses in the controls around governance, security and risk that can expose your organisation in ways you may not have considered.
I’m not saying Big Business is best, or that SMEs are automatically vulnerable. Big Businesses are frequently severely affected by technology outages and cyber crime. But often, big business can more easily absorb the hits. They are a large target, but the impact of one blot isn’t so noticeable.
Consider these scenarios:
|What Has Happened||Big Business||SME|
|The main data storage is down||It takes only a few minutes to failover to the backup SAN – 30 minutes lost||It takes maybe 16 hours to restore a full copy of the data from the backup NAS – 2 days lost|
|An important server is down||One business function is affected||The whole business is affected|
|Accounts Payable has received a very plausible Phishing scam||Nothing nasty happens because workflow, PO system and process controls force multi-step authorisation. There is limited ability to change normal procedure||One person does all processes and relies a lot on judgement and familiarity, therefore this process is more vulnerable to a plausible scam|
|A cyber attack has taken out an important client||Represents a small percentage of the business, so impact is low||The important client could represent a large percentage: this could shut down the business|
|A Ransomware virus infects the network||Devices and network are more likely to be locked down so impact is more likely to be isolated||Users often have full admin access to their device and access to data is often less controlled. Everything might be locked up by the virus|
Looks like big business wins on all of these. The large organisation survives pretty much intact while the SME is roughly shaken.
Delusion Of Security By Obscurity
Nobody believes a disaster can happen to them – or if it does, that anything very permanently negative will result.
Particularly with SMEs, even though everyone has direct knowledge of cyber crime, there is a tendency toward denial or a delusion of safety through “smallness”.
Hiding in a crowd, no-one will notice. I hear these all the time:
“My business doesn’t have anything worth stealing”
“We don’t keep anything of high value on our network”
“We have backup”
“We have insurance”
Lets just look at one of these:
Case Study – “My Business Doesn’t Have Anything Worth Stealing”
Every business has highly desirable data. Most are not holding national secrets, but that’s not the target of most cyber criminals. Here is an example:
An account manager at a small financial management firm receives an email from one of their long term clients, requesting transfer of $100,000 from one of their portfolios to their bank account – bank details provided. The email is acted on by the account manager and the amount paid to the nominated bank account.
The email was “spoofed” – it wasn’t from the client at all, it was from a scammer who had done enough homework to be able to mimic an email from this client to the correct account manager. How is that possible? Easy: check the website for staff and roles. Look for references to clients – testimonials are a good start. Check media releases.
Ideally, the would-be-scammer then hacks the client’s email account – there is often very poor security on these. This gives access to all the information needed to do a plausible communication. Failing a hack, there are plenty of other ways to spoof the email address.
From this point, only controls will save you. Changes to critical things like bank details should only be possible via a confirmation process that can be trusted. But there is in general a very low understanding of just how easy it is to hack or spoof or mimic email and how insecure it is. Knowing controls may be weak, its still possible to put in place enough safety nets.
Protection for the SME
Improving your chances in this scenario is within the reach of any organisation from a one person show to a large corporate:
1. Ensure your staff are aware of how important their work email account is: run security awareness programs that are engaging, up to date, real and repeated.
2. Enable dual factor authentication on email. It can be annoying, but its not as bad as losing clients and reputation.
3. Make passcodes mandatory on all devices – including phones – and centrally control it so they can’t be turned off.
4. Ensure you can remote wipe phones and other mobile devices.
With these in place, email becomes much more trustworthy. Add to that some sensible procedures for critical changes and the scammers won’t succeed.
The Moral Of The Horror Story
No organisation – even an individual – is too small to be of interest to a cyber crook. Most cyber crime is a volume game looking for large numbers of easy targets – that’s you.
Frances Russell is an expert on IT and Cyber Security with 20 years experience managing technology, security and risk for businesses. Practical, real world experience working with organisations to improve their security is backed up by solid academic qualifications and relevant industry certifications including ISACA: CISA CRISC CISM.
FooForce can work with you to minimise your IT risk. If you would like a chat about your IT, feel free to contact us anytime.