Written by Fleur Doidge for CRN:
If SMB customers think they’re not potential targets for hackers or other malicious attackers, they’re mistaken.
Craig Stewart, EMEA vice president at cloud security specialist Zscaler, agrees. They can also become indirect targets when an attacker is aiming for larger or more prominent companies that are customers, partners or suppliers to the SMB, or caught up in a scattergun-type attack.
“I think we’re seeing a lot more smaller businesses outsourcing significant parts of their activities, whether that is email or their invoicing [for example],” he adds. “Edward Snowden wasn’t an employee – he was a contractor.”
Security itself is increasingly outsourced, while it remains easy for attackers to spoof websites and even produce convincing-looking paperwork to back up spurious online transactions. Almost any company can fall prey to ransomware, man-in-the-middle, phishing or honeypot strategies.
“A lot of these strategies probably work better on SMEs,” Stewart says. “BP, Shell, Lloyds, and firms of that size are not going to pay in a CryptoLocker-type ransomware attack. But smaller businesses just might.”
Stewart says we have reached a point, though, where more SMB-focused security products and services are emerging.
In the meantime, the key is not only in educating smaller businesses about the real and evolving risk from malicious attack, but in helping them understand where their own business fits in relation to that risk, in order to choose and deploy something that might protect what’s most important to them.
Rahul Kashyap, chief security architect at security vendor Bromium, notes that classic anti-virus cannot bring back encrypted, locked files in the event of a ransomware attack.
“We only expect this trend to continue because it is so effective,” he says.
“It highlights the importance of best practices, such as end-point protection and external data backups. Often when you are hit with ransomware it is impossible to get your files back because the payment processing may fail or the encryption keys may not work – not to mention the danger of providing your credit card number to these attackers.”
Tim ‘TK’ Keanini, chief technology officer at Lancope, agrees, noting that there is a long-tail dynamic in cybercrime, with more and more categories of customer becoming affected as time goes on. And of course if one point on a supply chain is attacked, the rest of the supply chain can also be affected.
“It really is everybody’s problem,” he says. “And there are so many dimensions to it now.”
This obviously may relate to cloud and mobility, but in addition, for example, physical security may be an important component of the whole solution, Keanini indicated.
Depending on the company, CCTV and practices such as clean-desk policies might be needed as part of an integrated, holistic security approach, especially if there is genuine concern about systems potentially being vulnerable to unauthorised visitors or intruders on-site.
Dan Sibille, vice president of channels at Lancope, confirms that all this means that the seam of potential reward for the channel is certainly worthy of mining. Crucially, medium-sized firms as well as smaller ones are in need of education and training to assist them to understand and apply security technologies.
“There’s a huge opportunity for partners to go in – to offer that value and services around it, putting something together that’s cost-effective for customers,” he says. “And it’s not just about the technical issues.”
Dave Ellis, director of strategy and new products at Arrow ECS, warns that SMBs may be even more vulnerable to cyberattack than larger firms, and not just because they tend to lack the resources and expertise – not to mention the processes and procedures – to protect themselves.
“It’s not that they’re necessarily going to be singled out by a targeted attack, or a hacker who wants to gain credibility, but a lot of attack vectors these days are very broad-based, and many are automated. They’re not really picky about who they target,” he says.
“And smaller companies are more at risk because of that.”
SMBs that are more reliant on their IT infrastructure are, ipso facto, more vulnerable and should consider their situation in detail and take steps to protect themselves, including contingency plans in the event of a breach.
And the need for better staff education is high: “It’s important that users know not to open certain kinds of emails or attachments. Not just setting policy, but ensuring that policy is followed.”
Anti-virus, firewalling, web filtering, intrusion prevention, and other standard security tools will all be required at a basic level. But this will not be enough for a significant proportion of SMB customers, and they will need guidance on deploying cost-effective security that works for them, Ellis reiterates.
“A good way for resellers to get in is to do a health check, or some vulnerability testing,” says Ellis.
Automated or semi-automated tools are available to perform such tests – meaning non-security specialists can get in on the action as well.
Jon Brooks, leader of the financial and executive risks practice at insurer Willis, says the government’s Cyber Essentials guide, released on 5 June (2014), is a good starting point for SMB education.
SMBs must consider the risk in full, the ramifications and the potential liabilities – not only may partners or customers seek redress in the event of a breach, but their long-term standing in terms of reputation and valued supplier status can be at risk. And then there’s the cost of downtime.
“Cyber Essentials at least allows UK businesses to have a common understanding of what that basic level of protection is,” he says.
Cyber Essentials, however, doesn’t refer to mobile phones and other gadgets – all of which need to be considered in an effective SMB security offering. Mobility has definitely increased the risk, notes Brooks.
“There are lots of issues there, and lots of education required. And there’s basic human error,” he adds.
“I think the supply chain risk is misunderstood.”
He points out that the theft of 70 million customer records, including names, addresses, emails and phone numbers from the records of US retailer Target, is believed to have come via its air-conditioning company, FSM – which had itself been attacked.
The security question hasn’t become any easier to answer, for any size of firm. A FireEye study of real-world data collected from 1,216 organisations across the globe, from October 2013 to March 2014, found that 97 per cent had been breached, with all methods of protection being circumvented.
“No corner of the world is remote enough to avoid falling into attackers’ crosshairs, and current defences are stopping virtually none of them,” FireEye wrote in the resulting report.
“Three-fourths of the systems observed in our tests had active command-and-control (CnC) sessions taking place. These systems weren’t just compromised; they were being actively used by an attacker for activities that could include exfiltrating data.”
FireEye’s cross-industry sample reflected a broad range of attackers, techniques, and motives.
The range of security tools used in the FireEye tests – leading-vendor firewalls, intrusion detection and prevention systems, web proxies, network anti-virus, end-point anti-virus, and other anti-malware tools – failed to prevent at least 208,184 malware downloads, including 124,289 unique malware variants.
A quality answer to the undoubted need for security from malicious attacks may be likely to involve combination, dynamic offerings geared to specific requirements.
One thing is for sure: SMBs, like other organisations, will keep needing the channel to help them discover the best solutions for them.