Who’s looking after the little guy?

 

My late neighbour was an elderly man with little knowledge of the digital world. But he owned a laptop and I hooked him up with my WiFi. Alas, his lack of knowledge, combined with the online cyber crime minefield, was a recipe for disaster. Soon, he had browser hijackers and other such monstrosities crawling all over his machine. Coaching him on what to do didn’t work, not least because many of the tricks to get onto his system are designed to hoodwink.

What if he was a small or medium-sized business that worked with important material, such as a legal office or doctor’s practice? These are real targets, says Gavin McLachlan, former chairperson of the Legal Society of South Africa’s e-Law Committee.

“Attorneys are obvious and common targets because they often handle substantial sums of money for clients. They also have a lot of valuable personal information they have to hold for clients, such as banking details, home addresses and so forth.”

Such SMEs are juicy targets, yet they are not necessarily better at spotting the dangers my neighbour couldn’t. ‘Point’ protection such as antivirus and firewalls has become increasingly less effective. It is being augmented with more advanced technology approaches such as anomaly detection, signature patterns and web server logging.

But these are expensive techniques that require oversight, training and continual improvement. For SMEs with limited understanding and small budgets, those are barriers. There also doesn’t appear to be much effort from the channel to solve this issue. Instead, the baseline of security marketing – Fear, Uncertainty and Doubt (FUD) – is being used on SMEs. Is there any place for SME customers in the security market?

SMEs are in the crosshairs of cyber criminals. In a snap poll conducted by the Small Business Institute for this article, 60% of respondents said they experienced at least one cyber attack recently (and often more). Attacks included password-cracking, email-hacking, malware, online credit card fraud and ransomware. Phishing, the act of mimicking the email of a trusted party, is a major concern, including the rise of SMiShing (SMS phishing). As are man-in-the-middle attacks, where criminals intercept communications and pose as clients or suppliers to redirect payments.

“It is clear from SBI’s survey that cyber attacks on small businesses in South Africa are a real threat,” says Jennifer Cohen, the SBI’s executive for policy and advocacy. “In the digital age, we would encourage our members and all SMEs to consider the kind of risks they face and take steps to secure data, protect their customers’ privacy and guard against attacks to their systems.”

It’s often said that SMEs don’t care about security and are too small to be targeted. But the SBI’s findings reject that: the majority of those polled have antivirus and anti-malware software installed. They regularly back up and store their data offsite. Many use multi-factor authentication and firewalls – a small percentage have formulated disaster-recovery plans and increased insurance against such risk.

But very few have acted to control what can be transferred to USB storage. We can infer three points from the results: SMEs are aware of security, they are trying, but they are not doing enough to cover their blind spots. The kind of security that does is expensive and often baked into larger, costly business services delivered by solutions providers.

Expense, not altruism, drives market forces. As a consequence, most good security products are aimed at those who can afford it. So, ironically, in a world where we’re told we all need security, many of us can’t afford the right stuff.

Don’t blame security resellers – at least not entirely. Security is in an arms race against humans, not machines, so technical interventions have to outfox a thinking person. Humans not only hoodwink machines, but other humans as well. When security was still a minor concern, an antivirus could spot dangerous code.

But today’s cyber criminal can write a letter that looks like your grandmother needs money for a kidney transplant. No machine can fully stop that, not without hampering the technology investments that should improve business opportunities. There is an added problem: security is counterintuitive to how business goods and services work. Over time, such elements should commoditise and become cheaper. In security, the opposite is happening because it’s fighting humans. Security is less business and more spycraft.

“As is the case in most industries, a larger client has more resources available to cover more bases,” says David Redekop, security expert and co-founder of NerdsOnSite. “But cyber security solutions are available to any SME, provided they budget for it. It does not come for free, and keeping technology safe and functional does cost more today than in the past.”

This is the rub – if you have the budget, you can have security. You need security, else you are doomed to be attacked. It’s classic FUD. SMEs that agreed to speak off the record said they detest this approach. As one put it, they are often told about how technology is more accessible, but when it comes to security, SMEs are just expected to bite the bullet.

Says McLachlan: “Quite often, I help local colleagues who approach me gain a wider understanding of the digital business environment while helping protect them against commercial interests that often overspecify and overcharge.”

He adds that security providers often don’t understand the nuances of a given industry. It’s clear that the security market could do a lot more to court and service SMEs. But this is just half the answer. Until security can scale to the requirements and costs of small businesses, SMEs will have to go to the mountain first.

SMEs can do more. The paper 'Exploring SME cyber security practices in developing countries', published last year, found that other than budget, security is also being held back by management support and attitudes. These are largely due to a lack of digital knowledge among professionals – many businesses still don’t grasp how digital impacts their operations, amplifying calls that such topics need to be part of business and professional degrees.

The paper also noted that even though there is significant coercive pressure (such as regulations) to adopt security, SMEs aren’t getting as much pressure that is normative (everyone is doing it) or memetic (the competition is doing it). But even regulations fall short: many SMEs might be PCI-compliant (in order to process banking transactions) and consider this to mean they are also cyber-secure. Confusion between compliance and security is commonplace even with large enterprises, but it’s an acute error for SMEs to make.

SMEs also give criminals more opportunities. Small staff pools mean workers are often on the road and thus need remote mobile access. Pirated software is still commonplace, users are often security novices and limited views around cyber crime prevail. Some of those are changing – SMEs no longer think they are too small to be targeted, perhaps thanks to the recent ransomware attacks. But they are still poorly prepared to handle the threats.

FUD is found between a rock and a hard place. Security remains an expensive, multi-faceted discipline. There is clearly a need for training and services that fit SMEs. Managed services and other delivery models offer some choice, but is the security market doing enough? No. Can it do more? That’s a different question. In the meantime, SME owners shouldn’t wait for a salesperson to call them. They will have to accept they are now in the House of FUD and take matters into their own hands.