Cyber-security meets business
Here in Switzerland, the awareness towards cyber-security incidents is increasing more and more. I'd love to report that it would only be because of prevention. But sadly, the threat landscape is changing. In recent weeks, there have been multiple reported hacks in the news. And there are undoubtedly many more - which go unreported.
So, are we in the middle of a cyber-security "crisis"? Probably not. But it is a vital topic that hasn't gotten the deserved attention. Why? Because it is not generally seen as an exciting topic like crypto or generative AI.
Let's follow up with this article about cyber-security meets business and deconstruct this complicated topic.
Why? Because the threat is real.
Many well-run small to medium enterprises in Western Europe work on digitalisation initiatives. They have a well-established legacy business model, which they try to modernise.
As you can assume, these organisations have solid processes and an OK capital base, but at the same time, they are also acting in a high-cost environment, which reduces their margin for error. This setting is a worthwhile opportunity for an attack.
What exactly can you do as an SME?
As an SME, the current situation makes you pause. What is happening to partners and competitors is scary, and a cyber-security incident belongs in your risk register.
You could also give up and become fatalistic because, as an SME, you don't have the financial power to go all in from a cyber-security perspective. The fatalistic angle is neither good nor an option from a sustainability stance. But where to go from here?
Good if you are aware. It's even better if you start tackling the mountain of work ahead. There won't be an easy path to a perfect solution - but a steady incremental approach to improving the status quo.
The simple initial steps don't need a big budget or super high specialisation - just a bit of discipline. Also, depending on how extensive your business' IT exposure is, it is easily affordable.
Where to start? By analysing and understanding your business from a data and process perspective.
First, you must ask a few fundamental questions to understand how urgent the situation is and how much you need to invest. These questions are directly linked to your business model, and you may answer them quickly. Asking and answering these questions will also help you to make other business-related decisions. So, what is the first question?
How are you creating value?
What happens if you are offline from one day to another? You won't be entirely offline, but for the sake of argument, we assume that you are locked out of all your services and data. You don't have to be a rocket scientist to see that most organisations will struggle with that. Your IT capabilities are vital if you aren't in a very people-centric or physical-labour-intensive domain. For example, if your logistics solution is compromised and you can no longer track your inventory or ship products.
So, first, you need an understanding of your core value-generating flows. You will want to identify how your IT capabilities enable these processes. Next, you will want to hypothesise what happens when your IT capabilities entirely disappear from one day to another. Then, you will want to consider how to best work around these limitations. Finally, you should map a path to recover your IT capabilities.
Congratulations, you have identified your data/processes and developed a basic continuity management/disaster recovery plan.
But how far should you go?
The bad news first: Every organisation has valuable and sensitive data. The good news: Things are very diverse - depending on your data types and usage, you are a less or a more valuable target.
As an example, let's take a mid-sized fitness centre chain. Yes, a bad actor can exfiltrate potentially sensitive data (so you should keep only a shallow encrypted and segmented set of customer data), but also, if the IT systems are unavailable, the business can continue to run. You might need to wait to send invoices and turn off the automatic access control, and you can't do this forever, but your core business can continue to run. So, you are a less lucrative target.
As another example, consider a mid-sized manufacturing company; the company is dead in the water if the production line is compromised. Or think about a law firm; if the data is exfiltrated and published, you will have difficulty finding and keeping clients. Therefore, these are much more valuable targets.
Accordingly, you should also treat the urgency and invest when responding to the risk of a cyber incident. OK, you now better understand your business processes and the risk level of an attack.
But where can you start?
In general, the good practice should be that you, as a user, can only access as much as you need in the current context and nothing more. This philosophy also applies to the physical access dimension. Your IT resources should be safe and redundant. Safe from physical access - using an established cloud provider is a good practice. Also, your offline backup should be recent and tucked away safely.
Physical access is a multi-layered topic. It starts with the bad actor in mind, who tries to access your perimeter. But the physical access dimension can also concern a disgruntled employee who tried to steal hard disks from a NAS. There was recently news of a case where drives from a data centre were stolen. Don't go too far, but think it through, especially if you run your physical infrastructure.
You also need to consider other physical access-related topics like visual hacking and social engineering, but these topics are better mitigated via education - which we will cover later. The physical access dimension is rather a lower priority for SMEs. Nevertheless, it shouldn't be neglected because not considering the physical dimension can have a catastrophic impact. What about more urgent threat vectors?
Many SMEs still have shared user accounts for vital services or user accounts without any password policies. If you add unpatched services and second-factor-not-mandatory to the mix, then you basically ask about when a cyber-incident is bound to happen and not if.
First, you should get an understanding of all the services you are using. Second, you should configure them as conservatively as possible. So people can do what they need in the current situation but nothing more. Further, it helps if you have a solid offboarding checklist and a patch policy, which is also enforced. If you don't have it yet - your system-admin role will thank you for bringing it up.
The aspect of how people are actually using the services is, again, rather a question of how people are trained - which will be covered later. Not rocket science so far? We have covered the access topic, but what about the data lifecycle?
Data you don't have can't be compromised. This statement might sound a bit strange in today's data-driven world.
Nowadays, all organisations want to hoard data and learn from it. However, only a few do put their data to good use. Furthermore, since storage is so cheap, organisations have built enormous data graveyards. Again, this is not problematic by itself, but the legal dimension and the thread vectors have changed. So, it can become a problem when your data is exfiltrated.
Back to the initial statement - data you don't have can't be compromised.
Having a good understanding of what data you are storing is essential. Following up - having a good data deletion and an application lifecycle policy is even better. As soon as data is no longer needed, it gets anonymised or deleted. And old services, which may be a weak point, are discontinued. So far, we have been talking about processes and policies, but they will only help reduce the impact if somebody does not suddenly hand out the keys to the kingdom.
How can you increase awareness?
About twenty years ago, regular users started to care about computer viruses. Nowadays, threat vectors are much more elaborate. Everybody reads about cyber incidents in the news, but there still seem to be two camps of people who are immune to increasing awareness.
The "I am not a target" and the "I don't care about my data" personas.
Security and privacy aspects shouldn't scare people away from using technology. But at the same time, you also need a driver's license for a car because otherwise, more accidents will happen.
You must pay close attention, especially in SME settings, where professional and personal boundaries are usually less enforced. Think about an unpatched personal smartphone with installed malware on a corp WiFi. Or an employee is accessing corporate resources from abroad on unsecured WiFi without a VPN. Or the golden oldie of clicking a link in a well-scoped phishing email and compromising credentials. It all starts with awareness.
Today, it (sadly) shouldn't be too difficult to find a similar-scoped organisation that was a cyberattack victim, and they may agree to tell their story. All of this must happen in a blame-free environment. The worst enemy of a cyber-security-aware environment is a culture of blame and opacity. Assuming you did all of this, how can you keep the organisation aware? As so often, continuity is the key.
Only a few organisations have the financial means to pay for an actual red team or even a continuous bug bounty/penetration testing program. Financial means and urgency may change in the future, but in the meantime, you may want to start automating and optimising defence/detection (best effort). In addition, a simple emergency drill will already do a lot of good.
Keep people engaged and train them continuously. How?
You could ask an ex-colleague working for a partner to make a call and try to get credentials to a system she shouldn't be able to access. Or you could ask a customer you trust to bring someone to an on-site meeting who tries to gain physical access to a resource they shouldn't be able to access. Or you could play through a complete fallback scenario, including backup restore. So you know that your backup restore procedure works if needed. The possibilities are manifold and not necessarily expensive. Remark: Before doing such things, ensure you and your stakeholders are cleared from a legal and compliance perspective.
To wrap up - cyber-security and business can work very well together. And it is possible to make progress in the cyber-security domain with a reasonable investment. Cyber-security may still not be perceived as the "most attractive" topic - because no direct customer value is associated. However, how will your customers react when your data is leaked?
Cyber-security is an implicit value proposition; for some stakeholders, you can also phrase it differently - a critical risk that needs management. What is important is that you start building up your cyber-security capabilities. Initially, you won't be very effective and will have a steep learning curve - but you must start. Not taking action and hoping nothing happens is not a viable strategy. The question is no longer if a cyber-incident will happen - it will happen. The question is, how well will you respond, and how will you contain the fallout?
The right ways forward are starting small, learning constantly, improving continuously, and scaling over time. Get your stakeholders on board and set sail.
