UK SMBs fail to tool up on security

US security software specialists Trend Micro have published their latest survey results on 500 UK business owners.  This survey was an interesting mix of factual gathering as well as attitudes.  Trend Micro found that 50% of small to medium-sized businesses (SMBs) are not using any internet security tools to protect themselves from hacking and other threats.

In addition:
• Only 44% confirmed they knew how to check if a computer or mobile device was infected by malware
• Around 66% had no knowledge of the final penalties of an online security breach.
• Only 24% of respondents said they believed online threats are too complex to deal with.

With only 18% believing their data was worth stealing this may explain their lethargy in taking a more enterprise approach to security risk management.

The difficulty is, that cyber criminals have for the last few years, increasingly targeted SMBs precisely for their more relaxed view around data security.

Now a precision tooling company in Bristol for example, may not perceive it is in any way a likely target for cyber crime.  However, let’s drill into the risk a little further….   This company’s Accounts department will necessarily hold valuable data assets. These will include:  financial details (including bank accounts and sort codes of customers and suppliers), credit check information on customers, plus private contact details for other organisations that are not in the public domain.  So, they alone may provide fruit off the tree to the cyber criminal, but added to this, they will provide an increasingly valuable inroad into other, larger organisations with whom they do business.  So it’s not just them putting themselves at risk, but indeed the whole supply chain and customer relationships including trust which become jeopardized.

The London skyline

New US survey dispels notion that US Boards attitudes have changed around cyber security risks

In the United States, the 2015 US State of Cybercrime Survey appears to have reversed the findings of a number of previous surveys there over the last 12 months showing that despite talking the talk, many US boardrooms are in denial about the importance of engaging or engaging meaningfully in any information security decision making process.

Out of a pool of 500 US business execs, law enforcement services, and government agencies surveyed, there were three tiers of outcomes with regard to Board alignment:  “horrendous, adequate and excellent”.

Out of the bad and moderately sufficient returns:

• 28% said their security leaders make no presentations at all to the board
• 26% of Chief Information Security Officers (CISOs) or their organisation’s equivalent, said they provided an annual presentation to the Board.  Whilst
• 30% confirmed their security experts offered quarterly cyber security reports.

As one would expect, larger organisations appear take a more proactive view on countering cyber threats, but this is not uniform.  When looked at responses on size alone:

• 33% of smaller enterprises acknowledged there was no advice to the Board at all. However
• 18% (or nearly one fifth) of larger enterprise CISOs reported that they too offered no advice to the Board.

This is a gross overlook from the business community that needs redressing.  The IT security decision maker in any organisation today must be given the necessary tools, resources and external security consultancy opportunities if needed, in order to be able to best advise the Board and deploy the most appropriate up to date security measures.

There appears to be a real disconnect in the relationship between the Board and the CISO as these equally divided results show:

• 42% of respondents viewed cyber security as a corporate governance issue, but equally
• 42% did not see cyber security as a corporate governance issue.

Q.  Following on from this then, how often should a Board be updated by their IT security experts?

A.  Realistically, with today’s threats happening so much more frequently, in more sophisticated ways and more perniciously – this should be monthly at each main Board meeting.  Only then can a proper relationship be formed, trust developed and a proper digest of the state of resilience, identification of any threats in the last 30 days (+ how dealt + lessons learned), plus forecasts from gap risk analysis to identify what if any additional security measures or software are reasonably required.

CISO and Senior Vice President at global investment and advisory firm Blackstone, Jay Leek, added:  “I’m telling (the Boards) that it’s not possible to stop everything and that some threats are going to get in, and why it’s so important to be able to respond effectively. It’s very important just to get boards to understand that”.  Let’s just hope for a ripple effect across the international business community.