Securing Your Assets
By Finance Middle East
SME data security should be a top priority in the face of insider threats and ever increasing cyber-attacks in the region.
The biggest IT security threats facing SMEs in the Middle East do not come from the myriad of viruses and cyber-nasty’s floating around the internet, but rather from companies’ very own employees. A simple mistake, such as picking up a dropped USB stick and plugging it into a company computer can bring down the entire company, threaten its partners and destroy its reputation in the marketplace. Unlike large organisations, SMEs have smaller IT budgets and therefore invest less on internal resources. Because of this lack of employee training, internal threats remain a big factor for these organisations. “Whether intentional or not, employees are thebiggest threat [tocompany security] because they lose data, either through the loss of PCs, smart phones or other items, or by clicking on phishing links. If an SME is in high-risk vertical such as oil and gas, then they are at just as much risk as some large enterprises.
When Anonymous launched Operation Petrol, they did not discriminate between large and small petroleum companies. They went after them all,” said Eric Paulak – managing VP, conference chair Gartner Security & Risk Management Summit. It is not uncommon for employees to use USB drives, transfer corporate data via personal email accounts, utilise public cloud storage services and even access the company network from their personal mobile devices. Each of these opens up a host of attack vectors, according toHelpAG. “The biggest issue for any organisation today, small or big is around social engineering and controlling user behaviour. In our workwith our customers, we see that a lot of the issues faced are around users opening attachments, downloading executables or clicking malicious links which causes some form of infection, such as a virus, malware, ransomware or spyware.
All of these can impact the ability to conduct business or can cause loss of confidential data,” said Nicolai Solling, Director of Technology Services at Help AG. Social media, phishing and spearphishing are also major threats. Through these channels, employees can be tricked into visiting untrustworthy websites and triggering malicious downloads. SME’s have a specific challenge as the type of the business that they do may require them to invest into advanced securitytechnologyandsolutions.However the size and scale of the businessmay not be able to support this. “Any SME needs to understand that they areasmuchatargetasanyoneelse.Withthe recent Target attack, it was actually an SME subcontractor of Target who unknowingly aided an attack and a data breach through the placement of malware in the Target infrastructure. This caused Target to expose informationon 70million payment cards and later meant the CEO had to resign,”said Solling. Most SMEs also face threats due to ma lwa re t ak i ng advan t age of vulnerabilities within their networks that have not been patched, followed by lack of data privacy and protectionmandates, and a lack of availability of advanced security solutions. “Increasingly, mobility adds to the challenge as well. SME businesses are as impacted by downtime and information loss as a large organisation should invest in security solutions and policies that can avert such incidents,” statedMeghaKumar, Research Manager – Software, IDC MEA.
HOW TO SECURE YOUR ASSETS
With small IT security budgets and few, or no IT staff, for an SME to ensure that its assets are safe from attack is nearly impossible. According to Eric Paulak, managing VP, and conference chair at Gartner Security & Risk Management Summit. SMEs cannot fight cyber-attacks on their own.“SMEs need help. Large enterprises need help too, but not to the extent that SMEsdo. Thismeanspartnering with a strong security services company that can help assess current weaknesses and can help remediate any issues after an attack,” said Paulak. According to Pradeesh VS, General Manager at ESET Middle East, the first mistake SMEsmake is not to have enough budget allocated specifically to IT security. “Organisations shouldunderstand their priorities. With the amount of cyber-crime and targeted attackers that organisations face today, if they don’t have the right mechanism in place, it could well mean significant losses for the business, or at least an impact to the brand which will indirectly result in financial losses,” he said. Small IT budgets, or an incorrect budget allocation is indeed a challenge to adequately securing assets, as the technology required may be more expensive than the business can support. “Looking intomanagedsecurity services may be an option, which proves to be cost effective and can bridge the knowledge gap. In many organisations, SMEs as well as enterprises, key aspects of IT security operations such as monitoring of events is still greatly ignored, specifically outside of business hours.
Maybe it is time that we all understand that the attackers do not sleep or take time off just because we do. Again engaging with the correct trustworthy thirdparty organisation to take care of this may be the correct decision to take,” explained Solling. Managed security services, such as those utilising cloud services are an attractive option for SMEs for a number of reasons. First off, it eliminates high upfront CAPEX with manageable OPEX. There is no worry of continued upgrade and refresh cycles either and at the same time, they can avail of security solutions which would have otherwise been out of budget. Cloud services also address the shortage of skills allowing precious IT resources to be allocated to more pressing issues that align with driving business productivity. At some point in time, everyone will have to use some cloud services, according to Gartner. Some cloud services should be used today. For example, if an SME invests heavily in distributed denial of service (DDoS) attacks where the attack is designed to overwhelm the SME with traffic directed at web site, the SME will fail because if it waits to stop an attack until it is at the front door, the SME will not have the bandwidth to stop the attack and legitimate business traffic will not get through. “The most effective way to stop DDoS attacks is to work with a service provider to detect the attacks while they are still in the internet infrastructure and try to block or reroute traffic before it gets close to the SMEs infrastructure. As far as other cloud security services, it really doesn’t matter where the tools are. What matters are the policies, people and tools the service provider has. If they don’t follow the same industry standards in the cloud, they certainly won’t do it on a customer’s site. So, SMEs must fully evaluate thevendorwithastrongemphasis on references in the region that you can talk to,” stated Paulak.
Kumar believes that managing security services in the cloud is a very useful tool for SMEs to add to their IT security arsenal, particularly for security around an endpoint, such as web and email.
THE MOBILE WORKPLACE THREAT
Bring your own device (BYOD) is something that is inevitable given the high penetration of mobile devices in the Middle East. For its ability to improve productivity, collaboration and overall employee satisfaction, BYOD is an attractive proposition for businesses of all sizes. However, SMEs should be wary of rushing implementations as they tend to do so while focusing only on cutting costs and enabling innovation, according to Help AG.
The good news for SMEs is that today there are tools that can help IT departments implement BYOD in a safe and manageable manner. When evaluating such solutions the basic features required are the ability tomonitor and control network access though security profiles, pushing of applications and updates, and remote wipe devices (in case of theft or loss). “Thechallengemaybe toget employees on board with the company’s policies though. Since the device is no longer owned by the organisation, there are restrictions upon the level of control that can be exerted,” said Solling. The biggest risk today with tablets and smart phones is a loss of data. Therefore, the first step that SMEs need to take is to ensure that company data on that device is secure.
That means that SMEs need to look at ways to secure that data through encryption or not allowing the data to be saved on those devices. Since the latter solution would require that those devices be connected at all times, encryption is the best solution, according to Gartner. This can be accomplished through using any number of end point protection or mobile device management tools that are available. “Over time, however, that mobile end point could be just as dangerous as any laptop is today. Over 95 per cent of current malware in the mobile world comes from Android devices. Windowsbased devices will become increasingly under attack and even Apple devices will start to see some holes. So, in the midterm, SMEs need to start treating smart phones and tablets like any computing endpoint and look to securing themwith mobile anti-virus, personal firewalls and vulnerability assessment tools just like they do a PC,” explained Paulak.
Companies also need to have a clearly definedBYODstrategy andhave some kind of management on employees’ mobile devices through an EMM (Enterprise Mobility Management) solution. EMPLOYEE TRAINING The level of security maturity in Middle Eastern SMEs is behind what it is in Western Europe and North America, according to Gartner. The number one reason for this is lack of formal security education programmes for employees. This means that the most common types of attacks in the region deal with social engineering, whichmeans that individuals are tricked into revealing information that allows attackers to get in. “If employees were simply aware that they should not click on unknown links, this would solve most phishing attacks,” said Paulak. Stopping most attacks on SMEs boils down to effective employee training. Whenever an employee is hired, they should go through training on how to behave on the corporate IT network and be given ground rules that, if breached will result in disciplinary action. Until these types of steps are in place across SMEs, companies in the region will continue to see their reputations destroyed by a click of a mouse.