By Mervin Pearce
When it comes to cyber-attack, Small and Medium Businesses are at a significant disadvantage. Lacking the resources and expertise of their Enterprise counterparts, SMBs often rely on free or lightweight tools that leave their organizations exposed to attack. Instead of shoring up their cyber-defenses, many SMBs wait for a breach to occur. In some cases this can be too late.
Hacking has never been as easy as it is today. The significant information sharing between hackers has created a publicly-available knowledgebase that is easily accessible to cyber-criminals. Sites such as hackthissite.org serve as a training ground for cyber criminals, hacktivists and even government entities to gain up-to-date information on new attack vectors.
The net result is that SMBs are often the victim of data breaches, phishing, DDoS and watering hole attacks. A recent report commissioned by the Department for Business, Innovation and Skills (BIS) indicates that 63% of small businesses in the UK were attacked by an unauthorized outsider in the last year which is up from 41% a year ago. The research also uncovered that 17% of small businesses know their staff broke data protection regulations in the last year (up from 11% a year ago). [1]
The Enterprise/SMB Technology Model Does Not Apply to Cyber Security
Traditionally, Enterprise and SMB level technologies differ in design and capability – whether they have been built from the ground-up as unique solutions or whether the SMB module is a “light” version of the Enterprise class technology with certain features disabled. The key differentiators between Enterprise and SMB class technology are the expected level of flexibility and sophistication including configuration, deployment, management and reporting. From a scalability perspective, Enterprise level technologies are designed to be deployed in a non-disruptive way to hundreds, if not thousands, of users or access points within an organization spanning multiple offices and geographic territories. SMB level technology is designed for a small number of users or ports and is not intended to scale.
When it comes to cyber-security, the traditional Enterprise versus SMB model does not work. Pricing SMB oriented technology at a more affordable level as a trade-off for limited functionalities may be a good marketing tactic for security vendors selling into this segment, but leaves the SMB with a limited and mostly cosmetic protection against attack.
Firstly, regulatory compliance requirements such as PCI-DSS and HIPAA are applicable to both SMB and the Enterprise size organization. The onus on the part of both size organizations necessitate the implementation of systems and process to protect third party data. Therefore, companies that are mandated to protect their sensitive data may not have the flexibility to rely on basic cyber security technologies that fall short of regulatory requirements. More importantly, Small and Medium businesses are often the direct target of hacker attacks. By relying on a cheap “light” but largely ineffective software, the SMB business maker may inadvertently expose his or her organization to significant risk to cyber-attack.
The Downside to SMB Level Technologies
Many of the (inexpensive) cyber security tools in the marketplace that are targeted at the SMB segment, offer basic protection that can easily be bypassed by most hackers. For instance, the typical entry-level web application vulnerability scanners is based on open source technologies widely disseminated in the hacksphere. For the small business owner with limited staff, trying the Do-It-Yourself route can be frustrating, resource intensive and takes away from business focus.
Marketers of SMB focused cyber technologies take advantage of the overall confusion in the marketplace and overemphasize basic capabilities. For instance, the Open Web Application Security Project (OWASP) publishes a list of Top 10 application vulnerabilities. The typical Enterprise organization will purchase a tool that scans for twenty or more vulnerabilities and the better technologies are based on artificial intelligence that scan more deeply. When SMB focused tools list product specs, they often include features that are rudimentary.
In our evaluation of sample population of web application vulnerability scanners that target the SMB market, we have identified significant flaws in many of the current commercial offerings. Important capabilities – such as the ability for a scanner to drill deeply within an application layer based on dynamic parameters – are often not bundled in the basic SMB cyber security packages. Many of the tools report vast amounts of false positives, thereby requiring additional follow on investments in costly remediation. More troubling is the number of false negatives – the number of significant vulnerabilities and malware that are simply not caught by even some of the leading SMB targeted software vendors.
The Cloud Is Not a Silver Bullet
Another challenge for SMBs is the confusion about how cloud-based technologies can help them protect their businesses from attack. In many cases, the hype surrounding some cyber solutions in the marketplace may lead the SMB business owner to over-rely on technology to address the cyber threat. For instance, many cloud-based solutions advertise their end-to-end capability and falsely claim that their systems can identify and remove the threat of cyber-attack. There is huge difference between systematically identifying a vulnerability and automatically removing it. Remediation is a complex process often requiring coding or access to system configuration. The claims to the contrary are misleading and can result in an over-reliance on point solutions to address a systemic risk of attack. Furthermore, we are noticing the attack vector moving towards the Cloud as hackers have realized that the Cloud is a single point of information concentration.
Final Thoughts on Technology as a Sole Solution
Not one software solution is going to remove the threat of cyber-attack. Good cyber security practices need to be applied on a company-wide basis and are not simply restricted to the IT department. We are only as strong as our weakest link and a company’s employees, customers and partners are the first line of defense against cyber-attack. From a technology perspective one should always assume that hackers have access to the latest advances in technologies and one should constantly update one’s defense toolset in order to reflect what’s happening in the hacker-sphere. Equally important is to create policies that standardize security practices across the organization.
Although hackers are constantly changing their methods, organizations need guidelines that withstand the test of time. Business of all sizes need to plan carefully and budget wisely when to protect their data assets.
About the author: Mervin Pearce (CISSP-ISSAP) is the Vice President of Professional Services at QuatraShield, a SaaS provider of Enterprise-class cyber security technologies that include web application vulnerability scanners and malware scanners.