The biggest IT security threats facing SMEs in the
Unlike large organisations, SMEs have smaller IT budgets and therefore invest less on internal resources. Because of this lack of employee training, internal threats remain a big factor for these organisations.
"Whether intentional or not, employees are the biggest threat [to company security] because they lose data, either through the loss of PCs, smart phones or other items, or by clicking on phishing links. If an SME is in high-risk vertical such as oil and gas, then they are at just as much risk as some large enterprises. When Anonymous launched Operation Petrol, they did not discriminate between large and small petroleum companies. They went after them all," said
It is not uncommon for employees to use USB drives, transfer corporate data via personal email accounts, utilise public cloud storage services and even access the company network from their personal mobile devices. Each of these opens up a host of attack vectors, according to
"The biggest issue for any organisation today, small or big is around social engineering and controlling user behaviour. In our work with our customers, we see that a lot of the issues faced are around users opening attachments, downloading executables or clicking malicious links which causes some form of infection, such as a virus, malware, ransom ware or spyware. All of these can impact the ability to conduct business or can cause loss of confidential data," said Nicolai Solling, Director of Technology Services at
Social media, phishing and spear- phishing are also major threats. Through these channels, employees can be tricked into visiting untrustworthy websites and triggering malicious downloads.
SME's have a specific challenge as the type of the business that they do may require them to invest into advanced security technology and solutions. However the size and scale of the business may not be able to support this.
"Any SME needs to understand that they are as much a target as anyone else. With the recent Target attack, it was actually an SME subcontractor of Target who unknowingly aided an attack and a data breach through the placement of malware in the Target infrastructure. This caused Target to expose information on 70 million payment cards and later meant the CEO had to resign," said Solling.
Most SMEs also face threats due to malware taking advantage of vulnerabilities within their networks that have not been patched, followed by lack of data privacy and protection mandates, and a lack of availability of advanced security solutions.
"Increasingly, mobility adds to the challenge as well. SME businesses are as impacted by downtime and information loss as a large organisation should invest in security solutions and policies that can avert such incidents," stated
HOW TO SECURE YOUR ASSETS
With small IT security budgets and few, or no IT staff, for an SME to ensure that its assets are safe from attack is nearly impossible. According to
According to Pradeesh VS,
"Organisations should understand their priorities. With the amount of cyber-crime and targeted attackers that organisations face today, if they don't have the right mechanism in place, it could well mean significant losses for the business, or at least an impact to the brand which will indirectly result in financial losses," he said.
Small IT budgets, or an incorrect budget allocation is indeed a challenge to adequately securing assets, as the technology required may be more expensive than the business can support.
"Looking into managed security services may be an option, which proves to be cost effective and can bridge the knowledge gap. In many organisations, SMEs as well as enterprises, key aspects of IT security operations such as monitoring of events is still greatly ignored, specifically outside of business hours. Maybe it is time that we all understand that the attackers do not sleep or take time off just because we do. Again engaging with the correct trustworthy third party organisation to take care of this may be the correct decision to take," explained Solling.
Managed security services, such as those utilising cloud services are an attractive option for SMEs for a number of reasons. First off, it eliminates high upfront
There is no worry of continued upgrade and refresh cycles either and at the same time, they can avail of security solutions which would have otherwise been out of budget. Cloud services also address the shortage of skills allowing precious IT resources to be allocated to more pressing issues that align with driving business productivity.
"There are however concerns relating to the cloud that SMEs need to address first. The most important is privacy. After the NSA scandal broke, this became a major concern. When trusting sensitive data with a third party provider, it is important to understand how the data will be stored and who will have access to it. For example, data stored in the
It is also important to ask the cloud provider how the data will be segregated. If it co-mingles with other customers' data, a vulnerability to one customer environment can pose a threat to many others as well. Encryption, both during storage and transfer, should also be done and the provider's policies relating to monitoring, reporting and mitigating security breaches should be evaluated thoroughly.
At some point in time, everyone will have to use some cloud services, according to
What matters are the policies, people and tools the service provider has. If they don't follow the same industry standards in the cloud, they certainly won't do it on a customer's site. So, SMEs must fully evaluate the vendor with a strong emphasis on references in the region that you can talk to," stated Paulak.
Kumar believes that managing security services in the cloud is a very useful tool for SMEs to add to their IT security arsenal, particularly for security around an endpoint, such as web and email.
THE MOBILE WORKPLACE THREAT
Bring your own device (BYOD) is something that is inevitable given the high penetration of mobile devices in the
The good news for SMEs is that today there are tools that can help IT departments implement BYOD in a safe and manageable manner. When evaluating such solutions the basic features required are the ability to monitor and control network access though security profiles, pushing of applications and updates, and remote wipe devices (in case of theft or loss).
"The challenge may be to get employees on board with the company's policies though. Since the device is no longer owned by the organisation, there are restrictions upon the level of control that can be exerted," said Solling.
The biggest risk today with tablets and smart phones is a loss of data. Therefore, the first step that SMEs need to take is to ensure that company data on that device is secure. That means that SMEs need to look at ways to secure that data through encryption or not allowing the data to be saved on those devices. Since the latter solution would require that those devices be connected at all times, encryption is the best solution, according to
"Over time, however, that mobile end point could be just as dangerous as any laptop is today. Over 95 per cent of current malware in the mobile world comes from Android devices. Windows- based devices will become increasingly under attack and even Apple devices will start to see some holes. So, in the mid- term, SMEs need to start treating smart phones and tablets like any computing endpoint and look to securing them with mobile anti-virus, personal firewalls and vulnerability assessment tools just like they do a PC," explained Paulak.
Companies also need to have a clearly defined BYOD strategy and have some kind of management on employees' mobile devices through an EMM (Enterprise Mobility Management) solution.
The level of security maturity in Middle Eastern SMEs is behind what it is in
"If employees were simply aware that they should not click on unknown links, this would solve most phishing attacks," said Paulak.
Stopping most attacks on SMEs boils down to effective employee training. Whenever an employee is hired, they should go through training on how to behave on the corporate IT network and be given ground rules that, if breached will result in disciplinary action. Until these types of steps are in place across SMEs, companies in the region will continue to see their reputations destroyed by a click of a mouse.
Nicolai Solling from
Pradeesh VS from
The biggest issue for any organisation today, small or big is around social engineering and controlling user behavior
Nicolai Solling, Director of Technology Services at
BIGGEST IT SECURITY THREATS TO SMES IN THE
??Lack of awareness for employees
??Internal threats and malicious users
??Lack of skills and poor configuration of organisation systems
?Cybercrime and hackers
TOP FIVE TIPS TO SECURING AN SME
1. Start with the basics: ensure that you have the perimeter in place with firewalls, intrusion prevention solutions and vulnerability assessment tools.
2. Make sure your patches are up to date. 90 per cent of attacks could have been prevented with regular patch updates.
3. Educate your employees. They truly are either your greatest assets or your weakest link.
4. Don't forget to plan for being hit. There is no doubt. Everyone will be hit. So, there must be a plan in place to decide what to do during the attack and after it is done. You must learn your lessons to grow.
5. Don't do this alone. If you wait for a DDoS attack to hit your firewalls, it's too late. You will lose. Look to partner with a service provider.
Most Popular Stories
- Alabama House Speaker Arrested on Felony Ethics Charges
- Microsoft's Cloud Platform Shines
- 'Fury' Blows 'Gone Girl' Out of the Box Office
- Turkey to Help Kurds Reach Fight in Kobani
- ISIS Seeks to Expand Terror War
- German Intelligence Blames Ukraine Rebels for MH17
- Perez Leads Push for Obama's Job Proposals
- 2016 Camaro Shrinks, Moves to Caddy Platform
- New Effort to Ban Child Labor From Tobacco Farms
- Prius Drivers Battle Stereotypes