There are a myriad of reports generated by the security and software industries, most of which encompass analysis of the trends, and attempts to forecast what might come down the pipe in the next 12 months. Of course, the big problem is what a British PM termed ‘issues’, when referring to problems that occur when no one had forecast them and there is no ready made remediation to fall back on. These will happen throughout the year without doubt.
When you look at these reports and analysis, you might be forgiven for thinking that they are all pretty much written with either the promotion of a particular product/s in mind, sometimes obliquely and sometimes quite obviously. This could make the more suspicious of us doubt the data within the document as a whole. And that would be a shame because whilst there is undoubtedly an agenda at work, it doesn’t take away from the underlying truth. Cyber Security is an iterative process, its dynamic, ever changing and has to be kept up with the best way we can.
I’ve said many times now that the weakest link in the UK PLC chain is without doubt the SME. SMEs account for around 95% of our GDP for a start, and many of them sit in the supply chains of the larger corporations and can, if we’re not careful, provide a route into those corporations through the back door. So why is this? Well, it comes down to, in my view, two things. Firstly it’s budget, many SMEs operate on tight margins and are very reluctant to spend money of what they see as not part of their core business. Secondly is the much more difficult issue, and that’s culture. This second problem is of course closely aligned to the first, in that Cyber Security is not seen as part of their core business, it is a cost from which they can see not benefit. I’ve lost count of how many times I’ve heard the comment that, oh I’ve never been hacked/never had an issue etc, to which the reply can be, how do you know? And of course many don’t know until their next audit and even then, the scam could be so well constructed they never see it.
A survey from Barclay Card reckoned that some 48% of SMEs had suffered some form of attack in a 12 month period, costing anything from £2K up to £30k a time, and some were hit multiple times. The European Cyber Security Agency also published a survey last year which put the figure at 46% across Europe. It gives me some confidence in the percentages when two surveys get that close to one another.
So the problem is real, it’s not going away and whether we like it or not, SMEs are a very real target for cyber criminals. They want your money and they know how to get it. They are professionals and quite single minded.
Back to trends and how to target your spend. Well frankly, there is only one way that works effectively. Targeting your spend effectively, in a way that is affordable, appropriate and, if you deem it necessary, accreditable, is an absolute essential for an SME. OK, so you have a firewall, you have some anti-virus but is that enough? Is the firewall placed in the right place? Is it configured correctly? Does it include universal threat management or is it entry level. I bet it’s entry level. How about your policies and processes? Are they adequate and rolled out to staff? And talking about staff, are they aware of the potential threats to your network and how that could affect your bottom line and their jobs?
And this is where I do exactly what I’ve accused others of doing ie pushing my own services. However this is designed to tell you exactly where you are and what you need to do, in such a way that it can be a phased approach, in order to suit your budget and in such a way that it is tailored to suit your needs.
H2 has developed an industry leading Triple A (Affordable, Appropriate, and Accreditable) risk assessment process to ensure your information is effectively protected at the right cost. Called the Information Risk Assessment and Management (IRAM) process, it involves the following three phases:
Phase 1: Initial Assessment
H2 conducts an assessment reviewing your existing information security, data protection protocols, technical security controls, and processes and procedures to determine their effectiveness and appropriateness.
Phase 2: Implementation of recommendations
Working to your timescale and budget, H2 implements the recommended changes identified in the initial assessment. This could include introducing simple changes to your processes, all the way through to implementing technical solutions that provide effective protection from threats.
Phase 3: Education, ongoing security management, review and maintenance
People within a business come and go, and cyber threats and risks are continually evolving. Due to this, H2 works with you to develop an appropriate package of staff training and security system maintenance activities that keep you protected in the long term. Available on a retainer (as needed) or monthly subscription basis, this phase ensures your business is fully IRAM compliant.