The general consensus is that there is only one solution to the cybersecurity threat now faced by SMEs...
...and that's to work in tandem with ICT partners that are closely allied to the channel’s more holistic minded Managed Security Service Providers.
No longer should SMEs assume they exist comfortably under the radar screens of cyber criminals. No more should they consider themselves small fry, unworthy of attack. Now, implementing a security strategy should be the default position for all SMEs. They must wake up to the threats they face on a daily basis and seek help from their ICT providers. “It’s difficult enough to find staff with the right security skills, let alone the right attitude – it’s even more difficult to retain them,” stated Trevor Parks (pictured), Principal Solution Architect, Information Security at Masergy. “The answer is simple – leverage cybersecurity partners.”
The biggest threat to SMEs, according to Parks, is complacency and a false sense of immunity from attack. “SMEs generally face the same cyber threats as larger enterprises,” he said. “Everyone is a target, but SMEs are invariably more susceptible to a breach because of lower defences due to a lack of funding. It costs very little to put a good cyber security awareness programme in place for SME staff. It provides the best bang for the buck. This is the absolute minimum SMEs should aim for, and be in addition to using infrastructure and services that have been designed with information and IT security in mind.”
In recent times security products have moved from a focus on the perpetual licence model to a subscription-based modus operandi. “The most significant value a security service can add to a reseller business is predictable and regular monthly revenue for the lifetime of the contract, plus a happy and sticky customer that will typically purchase more services as time goes by,” added Parks. “Rising cloud adoption introduces more security challenges for businesses, but it ties in nicely with the security service subscription-based licensing model that most MSSPs and MDR providers offer.”
A number of factors have combined to transform SMEs into an important and untapped security market. These include automation, security orchestration, Automation and Response (SOAR) platforms, machine learning and behavioural analysis. “Cybersecurity service providers are making much better use of automation, driven by some or all of the above systems and processes,” explained Parks. “Not just to speed up the Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) to cyber attacks and anomalous activity, but to streamline resources and ultimately make cybersecurity services more affordable for SMEs.”
Masergy provides partners with training to help them identify the customers that would most benefit from security services. Its analysis is based on business sector, company size, revenue statistics and other metrics. “As time progresses and the threat landscape continues to morph, Masergy will expand its security product partner relationships to broaden its portfolio and pass on efficiencies to customers,” added Parks.
Technology-wise, advances in machine learning and the introduction of Artificial Intelligence have been on Masergy’s agenda for some time. “For security services providers such as ourselves, innovation around SOAR system efficiency and leveraging ML and AI are key differentiating factors that will continue to enable us to keep up with cyber criminals and malicious threat actors, and to take full advantage of innovation in cloud-security product development,” noted Parks.
“Furthermore, the reduction and eventual loss of signature-based systems is not far off, so tools that provide visibility and control of network traffic and process paths will become more and more relevant. The growth of cloud services is forcing innovation in the cloud-security arena, which is where we see the most growth of sorely needed security products.”
According to Jonathan Whitley, Director for Northern Europe, WatchGuard Technologies, a single appliance that delivers enterprise grade security and is simple to deploy and manage is the order of the day for SMEs. “As well as a good firewall, every network needs a full arsenal of scanning engines to provide visibility, threat intelligence and protection against spyware and viruses, malicious applications and data leakage – all the way through to ransomware, botnets, advanced persistent threats and zero-day malware,” commented Whitley.
It’s no secret that humans are the weakest link, and the recent Verizon Data Breaches Investigations Report indicated that circa 90 per cent of breaches start with a phishing or social engineering attack. “By making employees smarter about attacks they can become a human firewall and a good anti-phishing education programme can reduce click rates on malicious links from 40-50 per cent to below 10 per cent,” added Whitley. “But spotting a malicious email is not easy. Attackers are gathering more intelligence on their victims, friends and colleagues and interact with them. There is also an increase in so-called CEO fraud where the attacker impersonates senior management. Fundamentally, we need to change the culture in organisations around phishing. We need to move away from the blame culture so it is OK to make a mistake and learn from the error. It only takes one user to spot and report a phishing email to protect other users in the company and go from ‘zero to hero’.”
The other major user problem is stolen or weak passwords, noted Whitley. “We all struggle with remembering a multitude of long, complex and secure passwords so on the face of it the use of multi-factor authentication (MFA) is compelling,” he stated. “MFA is simply a security system that requires more than one method of authentication to verify the user’s identity for a login or other transaction.
“But traditional MFA solutions have been too expensive and complex, particularly for SMEs, and can be seen as a hassle for end users. Cloud-based MFA requires no on-premise equipment which cuts down on costly deployment and management activities, while a choice of modern authentication methods including push notifications, one-time-passwords or QR codes to a mobile device provides good security combined with an improved user experience. If we are to significantly reduce the number of breaches from poor password practice, it’s time for SMEs to adopt MFA.”
Faced with the rising tide of cybersecurity threats, SMEs are increasingly looking to their IT managed service providers to add security and go from MSP to MSSP, as a way to make cost-effective security available. “It is up to traditional security vendors to help MSPs embrace and deliver cloud-ready packaged security services that are simple to deploy and manage,” added Whitley. “For a MSSP programme to work, proper packaging and delivery of services is vital. This means helping security resellers who are accustomed to selling hardware-only to move to a services model.
“This includes providing technical tools to deploy, manage and provision an MSSP’s security estate and give full visibility to demonstrate that the services solution works and is delivering protection and tangible value. The commercial arrangements also need to accommodate annual and monthly billing and flexible licensing, as well as the ability to scale up and down instantly to meet changing requirements.”
As we have seen, SMBs are facing ever rising security threats and in many cases they are strategically unprepared, and therefore unable, to contain an assault. Attacks continue to threaten the external perimeter – but the threat is also internal, reiterated Ian Kilpatrick, Strategic Advisor Cyber Security at Nuvias Group. “The lack of strategic focus on cybersecurity has left many SMEs challenged,” he stated. “They haven’t planned security into their culture and therefore staff don’t think about cybersecurity. So their response to security challenges is often reactive which doesn’t strengthen their defences.
“A considered plan is the best place to start. This should be projected over a number of years as it is unlikely that SMEs will be able to deploy all the solutions that they need in 12 months. SMEs first need to work out what their most valuable assets are and how to protect them, rather than try to protect everything. The next thing to do is to change the cyber habits of one of the weakest security links – company staff. In a world of hybrid access, users are the weakest link. If staff don’t have good cyber hygiene awareness and training it’s impossible to expect them to use good cyber behaviour in the office.
“There will be channel opportunities to provide Entity and User Behaviour Analytics (EUBA) systems as well as solutions that offer user training to deal with issues such as phishing and social engineering attacks. Coupling cyber hygiene solutions with support from value add partners for training, as well as carrying out penetration testing, are strong first steps for SMEs.”
Two factor authentication is another inexpensive, clearly visible and effective means of slamming the door on a number of threat areas. Yet surprisingly, 2FA is still only deployed in a minority of companies, pointed out Kilpatrick. “Multi-factor authentication and identity management, including single sign-on, will grow rapidly in 2019,” he added. “Insecurity has increased through the move towards hybrid access, which can include a mix of cloud, on-premises and managed access, using multiple devices and involving multiple applications. Not surprisingly, cloud security and security for multiple applications in the cloud will also continue to be an area of growth for the channel. This can involve a variety of solutions including encryption, risk analysis, access and identity management – including single sign-on – and managed security.”