Feature

Cyber Security in the SMB

Cybersecurity

We constantly hear of huge cyber security breaches in the main stream media, the latest being British Airways (at the time of writing), but what mostly goes largely un-documented is the constant battle the SMB sector is facing. Cyber criminals are expected to continue to target the easier pickings of the SMB market and the Channel will continue to reactively provide solutions to those in need. Is there more of an angle here for partners to help customers? David Dungay went to find out.

The threat landscape is as diverse as ever right now, it essential that partners in the ICT space are not just offering security solutions but also are well positioned to offer guidance across the board. I asked some industry experts how they see the current landscape from an SMB perspective.

Ian Dutton, Security Pre-Sales Manager, from Westcon commented, “SMBs with digital transformation strategies are as vulnerable as a large enterprise from every type of threat and malware. The only difference is the potential rewards per organisation are much less. Do the numbers though and if the ‘it won’t happen to us’ or ‘it’s too complicated, expensive or we don’t have the resource’ attitude prevails then the pickings are a lot easier to harvest. So, for the vulnerable where software is applied ad-hoc and there is no in-house understanding of attack vectors and threat types, the landscape looks extremely dangerous.”

Ian Kilpatrick, EVP for Cyber Security at Nuvias Group, added, “SMBs are looking at what seems like a continual rise in threats, and in many cases they are strategically unprepared for this scenario. Attacks continue to threaten the external perimeter, but the threat is also internal. This has driven organisations to recognise that their own staff are not only a target, but could also be perpetrators themselves.

The lack of organisational strategic focus on cyber security has left many SMBs in a challenged space. They haven’t planned security into their culture and therefore staff don’t think about cyber security. So, their response to security challenges are often tactical, as a reaction to the latest hyped-up, publicised cases or to a specific attack, perhaps on them. This doesn’t actually strengthen their defences. On the contrary, it can lead to weak solution deployment or even to paralysis, while they try to work out what to do for the best.”

Ian Ashworth, EMEA Channel Director at Netwrix Corporation, says “UK companies have a budget to improve their cyber security, but they do not know how to get the most benefit out of it due to their vague understanding of their threat landscape. Channel organisations should act like advisors and help companies improve their security posture and support them all the way. This means helping customers obtain visibility into where their sensitive data resides and prioritise their security efforts based on regular IT risk assessment. The channel should also explain to customers how to follow security best practices properly. Vendors can help by educating teams in a way that is both informative and time-saving for them.”

Average volume of Cyber Attacks per business by target application, analysis from Beaming
Average volume of Cyber Attacks per business by target application, analysis from Beaming

Gary O’Leary-Steele, Technical Director at Sec-1, said: at Claranet Cyber Security, said “While nation state attacks make the news headlines, the complexity and frequency of attacks from all sources are on the rise, and attacks will often target the same vulnerabilities, whomever is behind the attack.

“To ensure that they are adequately prepared to minimise the impact of cyberattacks, regardless of the perpetrator, organisations need to step up their vigilance across the board. This means implementing a cybersecurity strategy that emphasises not just reactively tackling incidents as they happen, but also adapting to the threat landscape by understanding how hackers think and work, and regularly testing your applications and infrastructure.”

Russ Madley, Head of Channel at Kaspersky commented, “Enterprise and SMB are very different. What we see from a Kaspersky perspective is that traditional end-point protection side. Most businesses recognise they need some sort of endpoint security and from our point of view it’s about making that as easy as possible for organisations. Some of the smaller small businesses that the Channel serve won’t have an IT person in-house, it might just be the office manager that has to install something on the computers and they might not understand what a firewall is. This is why the Channel is so important to delivering this.”

Jason Howells, EMEA Director at Barracuda MSP “Email account takeover may not be an attack that is regularly featured in media headlines, but it can be devastating for its victims and very hard to spot. Account takeover attacks involve criminals stealing the login credentials of an employee of an organization, remotely logging in to their account and launching attacks pretending to be them.

The attacks they launch are most commonly phishing campaigns that will often go undetected by security solutions as they appear to be genuine emails.

Over the last few months alone, we have specifically been seeing a large number of mass phishing campaigns that use legitimate compromised accounts from UK based organisations.

SMB Action Plan

Tackling the threat landscape is no easy orgainsation no matter who you are. Buying some security software doesn’t protect you 100% of the time so it’s important to minimise the risk as much as possible.

Jason Howells, commented “Although mass attacks are common, cyber criminals are increasingly investing more and more time in heavily researched, highly targeted attacks, whether that’s an advanced persistent threat or ransomware. They work because they’re believable: cyber criminals spend a huge amount of time making them look as realistic as possible and the results can be devastating.

SMBs need to keep up to date with software, security and firewall updates to ensure they have the most sophisticated approach to security in place to defend against these types of threats. It only takes one area of vulnerability to leave the backdoor open on a network. WannaCry highlighted the importance of keeping up with routine patches.

However, while tools can help mitigate these threats, end-user training and awareness programmes are the most vital piece of the puzzle, helping people across SMBs to become more aware of phishing and spear phishing tactics.”

Kilpatrick adds, “The first place to start with this plan is to actually work out what your most valuable assets are and how to protect them, rather than go for a plan that tries to protect everything.

The next thing to do is to change the cyber habits of one of the weakest security links – company staff. If staff don’t have good cyber hygiene awareness and training, it’s pretty impossible to expect them to use good cyber behaviour in the office. And if organisations don’t make the point about how important secure cyber behaviour is, and then continue to reinforce that message, then they will ultimately fail.

There are numerous products around for staff that need training in cyber hygiene and cyber security. These can provide assistance through online training, testing (including phishing testing) and subsequent remediation. Companies like Knowbe4, PhishMe, Barracuda, etc. all provide organisations with metric based measurements as part of their internal risk profile. According to Knowbe4, most organisations have a failure rate of around 20% the first time they do phishing testing – a truly shocking figure.”

Madley commented, “One of the big pushes we are doing is around cloud by enabling organisations to have all their end points connected to the cloud for updates and management. Working through the channel partners, depending on what they want to do, they can manage Kaspersky on behalf of those clients. Many customers just want to sign up for an SLA. It is that peace of mind, you are giving the control and emphasis across to the SMB reseller or MSP. They just want to know that if there is a problem there will be someone on the end of the phone ready to help them.

Ultimately, from that side it is going to be more around reporting and the customer being aware the partner is doing a good job so they have that peace of mind.”

“The millennials are coming into businesses now and things are changing. Nowadays, that generation is used to consuming free products in their personal lives and then having all the in-game purchases. We are seeing a lot of people like this coming into organisations and we need to make sure we are catering for the masses. If people just want the very basic signature AV then they know they can get that from us but there are extra benefits that come with the paid for versions.

This is a new avenue for us and how we explore that with Channel Partners I think will be interesting, around the revenue share opportunities particularly. When the Channel hear the work ‘free’ I think that isn’t a good thing because they will struggle to make any money on it. But when you look at it from a revenue share point of view where they are making money from the upgrades I would like to think that’s a good opportunity.”

GDPR Drivers

GDPR came into force just six months ago and many providers reported a spike in purchasing security solutions. I asked what the Channel is seeing on that front right now.

Jason Howells commented, “The GDPR carries significant fines and criminal penalties for SMBs and their employees who fail to safeguard their infrastructure and data adequately. By some estimations, GDPR alone will cause pan-Europe security spending to increase by as much as 2.8billion Euros annually. It’s therefore no surprise that SMBs are increasingly turning Managed Service providers to close the gap in their IT needs.”

Dutton added, “This is a real mixed picture. There are still plenty of SMBs we see that have ‘heads in the sand’ because of the perception that being small means they’re not a target. The issue of GDPR and security has been conflated, erroneously by some, so that a belief that compliance equals a secure business is common. This is not necessarily the case. Many partners attending Westcon Academy GDPR courses, having understood the distinctions and nuances, were able to leverage GDPR and provide compliance understanding and security technologies appropriate and relevant to their customers.”

“GDPR will be a big driver over time, as the magnitude of the financial and reputational consequences of negligent data loss are highlighted by the regulators. However, we are still awaiting the really big failures that will create a lot of publicity and drive the security market. So the opportunity for the channel is to engage with customers today and initiate the conversations regarding identification and protection of key data assets. This will generate trust for when actual demand for these services soars over the next three years. “

Ian Kilpatrick added, “We need to see a big GDPR fine, before companies will allocate budget to protect against such fines. Attitudes to personal data protection are still only shifting slowly toward recognising users’ rights over their data.

The challenge in the security space is that there are too many vendors, over-funded by optimist VC and PE money hyping the market. Alongside that there will continue to be new headline-grabbing threats, which can distract organisations from implementing the solutions that they already need to deploy. Both of those can and do lead to buying confusion.

But at the end of the day, SMEs will need to deploy security solutions, and they need trusted partners to support them.”

Ed Says...

The SMB will need to allocate more budget to Cyber Security as the threat landscape continues to evolve. Partners looking to increase customer stickiness and increase revenues would do well to augment a well-rounded proposition and look to mop up the extra spend.