Small to medium-sized businesses (SMBs) make a significant contribution to the Australian economy. According to the Australian Bureau of Statistics, as at June 2015, there were 2,066,086 small businesses nationwide.*(1). In some states such as Western Australia, small businesses represent 97% of all businesses.*(2)
Cyber security is as important for these companies as it is for large multinationals. SMBs also have sensitive information from employees and customers, proprietary information about products, and they often are part of a global supply chain for other companies. Every business is a target, regardless of size, and none can afford to ignore the security of its IT infrastructure.
The SMB: lots of assets, limited resources
SMBs may assume they have little to interest hackers and therefore put cyber security on the back burner. We know this isn’t true. Hospitals, for example, hold sensitive health information and have networked medical devices at risk. Unfortunately, some learned the hard way with episodes of ransomware disrupting business and damaging reputations.
It is not just a company’s own information and systems that are at risk. SMBs have been the channel in high-profile breaches that compromised millions of records. The 2015 breach of a retail company in which data from 40 million customer credit card accounts were stolen and the U.S. Office of Personnel Management breach that exposed more than 20 million employee records are believed to have originated with credentials from third-party vendors. Last year, In Australia, more than half a million Red Cross donors had their personal details compromised following a security breach. The attackers use a weak link in the supply chain to breach a larger target; they use the compromised credentials to escalate IT privileges and use privileged accounts to compromise critical systems.
Businesses today run on IT. This makes cyber security a business necessity as well as a technology requirement. A strong security program can not only protect a business’s assets, it can also give it a competitive advantage.
Although SMBs face the same cyber security challenges as large businesses, they often have fewer resources and little in-house expertise to address these challenges. This makes it important that they get the best return on their security investments by prioritising the right things in their security programs.
The need to know
Cloud computing and hosted services can make advanced technology affordable, and SMBs often find it cost-effective to outsource many IT functions, including security. But at the end of the day, each business is still responsible for its own security. Owners and executives need to understand the basics of cyber security, know what their service providers are doing and what questions to ask of them.
Security needs will vary depending on circumstances. Each company must understand its attack surface—vulnerable areas in the IT environment that could breached to compromise systems—and the impact of each potential breach. By assessing the impact, vulnerabilities can be prioritised, so that the cyber security program focuses on the areas needed to manage risks.
The key to protecting an IT infrastructure is privileged accounts. These accounts, if compromised, can effectively turn an intruder into an insider, giving the attacker rights to move throughout the network, escalate privileges, change settings and configurations and access data. When allocating scarce cyber security resources, privileged accounts must be identified, assessed and prioritised.
A single standard for security
An SMB IT infrastructure may not be as complex as a global enterprise, but the benefits of a layered approach to cyber security applies to all. Additionally, there are documented best practices and basic cyber hygiene practices that should be followed.
About the author
Matthew Brazier is the ANZ Regional Director of CyberArk, a global cyber security company.
*1 Businesses classified as those non-employing business or a business employing fewer than 20 people.