SME Cybersecurity: Teaching an Old Dog New Tricks
DIGIT spoke with Ian Thornton-Trump, Head of Cyber Security at AmTrust International, about some of the key cybersecurity issues affecting small-to-medium enterprises.
Running a small-to-medium enterprise (SME) comes with a plethora of issues that must be addressed. Traditionally, the issues of revenue and workflow have proved to be a stumbling block for businesses and entrepreneurs around the globe. In an increasingly digital age, cybersecurity has become an area that cannot be ignored.
Ian Thornton-Trump, head of cyber security at AmTrust International, told DIGIT that in the coming years SMEs will face significant challenges that will make or break many businesses. An ever-changing digital landscape, evolving consumer demands and a precarious cybersecurity environment could prove too much for many of them.
Cyber-attacks or data breaches aren’t exclusively reserved for the major corporations and tech giants. It’s simply the case many businesses will experience these same issues without global media attention; silent victims mired in the cacophony of buzzword-laden, front page scandals.
Regardless of the scale, breaches and attacks continue to cripple businesses around the world – with devastating consequences for both the business and consumers alike.
Maintaining the balancing act between staying afloat and investing to adapt to a modern era, Thornton-Trump explains, is a timeless issue for SMEs.
Running the gauntlet, as he describes it, between protecting your brand, your customer data and your life’s work, and investing to prepare for the future, is becoming more and more difficult.
Transforming a small business and accepting the level of exposure it will encounter online is the first step to ensuring an adequate security culture to accommodate the modern internet era.
“Small-to-medium businesses are increasingly aware of the level of exposure they face,” he says. “So, this is a key issue for me.”
“I think, traditionally, many businesses have been resistant to change and now change is being thrust upon them. As an example, we’re seeing a trend of pushing your data storage up to the cloud and the adoption of Software as a Service (SaaS) models.”
While larger businesses may have the financial security to implement significant changes to their security practices, for many SMEs this is a luxury that is simply out of the question while balancing the perils of business.
To adapt to this changing landscape and surge in modernisation, Thornton-Trump believes there will be a number of elements running parallel to one another.
“This is going to require a number of elements – not least is the issue of transforming the way the current workflow occurs in an SME,” he explains. “From technical support, a hardened infrastructure build and updated equipment is required, but the overwhelming concern is how to keep the data in SaaS applications safe – the responsibility of keeping and protecting customer data remains with the business.”
Balancing improvements to any business infrastructure will require an objective look at what systems are currently in place, he suggests. SMEs have been traditionally slow to upgrade and, due to the growing dependency on the internet, the current infrastructure or internet accessibility may not provide the performance they require for moving to a SaaS infrastructure.
“This is kind of a double whammy,” he says. “In some cases, they’re being forced because support from their on-premise applications is being terminated or is going away in favour of a SaaS licensing model. It’s upgrade at gun-point.
“As a result of that pressure there are data migration challenges, workflow challenges and, of course, infrastructure security challenges.”
Calamitous data migrations have been a hot topic in 2018 – with TSB’s changeover a prime example.
Following a botched migration, the bank was subject to intense scrutiny after it was revealed customers had access to random accounts – with many being locked out of their online banking services for a significant amount of time.
Thornton-Trump says that such an issue for an SME could prove equally, if not more, disastrous given the budgetary restraints of smaller businesses and their inability to rectify issues – success is in the hands of the SaaS solution provider.
There is light on the horizon, though. he concedes. “Now, it’s not all negative, because in a lot of cases the movement to SaaS applications becomes a less complicated endeavour and gives the business the ability to have flexibility in a number of ways,” he says.
“What the real challenge is, though, is the work required for an SME to transform and secure at the same time. This is going to be fundamentally different in 2019 to what we saw in 2015 or 2016.”
Due to the continued rise in cybersecurity threats in recent years, Thornton-Trump believes the security industry has to evolve. This has culminated in what he describes as a “mass movement” to web-based applications that are hosted in environments such as Amazon Web Service (AWS) or Microsoft Azure.
“Many will be faced with two routes here,” he explains. “On one hand, they can move with this growing SaaS trend or they can try to carry on and support growth – and security – with older, potentially antiquated products. The latter course is not going to end well.
“Budgets are always going to be tight in SMEs. There’s not a lot of extra capital or money and cyber-attacks are always going to be an existential threat to small businesses. These business owners should be asking very tough questions of themselves, like ‘how can I continue to grow my business when the technology I use is so dated and vulnerable?’”
He adds: “Many businesses have a big expense looming if they have neglected investment over the years. If they have no forward-looking plan the experience will be horrendous.”
Old Dogs, New Tricks
Thornton-Trump believes that, regardless of the changing face of business, some will completely resist change. Whether they like it or not, however, they will become increasingly dependent on technology – and if they fail to keep pace with these changes, ultimately, they will die out.
“There are, of course, the businesses that have been in the game for 40 years or so and they’re adamant they’ll survive and continue to do the same thing they’ve always done,” he says.
“Now, this isn’t necessarily a bad thing, but like it or not they’re becoming more dependent on technology and they need to embrace this change, the new trends and accommodate for a changing workforce that is increasingly technical.”
This adaptation to modern technological change isn’t restricted to the cybersecurity field. Regarding the workforce element, he says businesses that fail to adapt will find difficulties in hiring further down the line.
“Your business may find itself difficult to hire a payroll clerk, for instance, on a system that this next generation of workers has no experience with at all,” he explains.
Central to this success, however, is ensuring profitability. Without adequate cybersecurity, comes greater risk; and with that risk comes a lack of interest from both consumers and potential suitors within the ecosystem.
“It’s kind of a double-edged sword. At the end of the day, a business needs to be profitable to grow,” Thornton-Trump says. “A small business owner has three exit options at most, and these are selling the business, make a profit and enjoy retirement; or pass the business on or merge with another business to form a larger entity.
“All of those exit strategies require a business to be profitable, to retain its customers and to continue to prosper. If any incidents happen, be it a data breach, cyber-attack or whatever, it greatly decreases the value when considering valuation of the business. A possible fine from the ICO will put a damper on any M&A activity.”
In the Spotlight
Never before has security been more critical to a business, be it big or small. With high-profile data breaches and cybersecurity scandals permeating the airwaves throughout 2018, Thornton-Trump believes consumers are waking up to the reality of the data-driven world we live in.
“The stakes are raised because of anger,” he says. “I think that people are sick and tired of having personal, private data sold to a third party they didn’t even know had their data.
“The second issue is companies not being able to protect the data they’ve collected. So, we have a great amount of anger and frustration among consumers who continue to be victimised by enterprises large and small, and who in most cases are discovered to have taken less than the minimum required protections of that data.”
Thornton-Trump explains that consumers often no longer take assurances at face value. His fellow security researcher, Sean Wright, remarked that ‘we take your security seriously’ is a phrase that is often banded around. It is tantamount to the phrase ‘it’s not you, it’s me’ when dealing with a break-up – both parties know this is an empty (security) gesture.
For any business, poor security practices simply aren’t an option in the current competitive climate. Loss of customers, shattered reputations and potentially crippling fines from regulators are issues that should keep all business owners awake at night.
While observing the landscape for an SME with, for example, 600 customers, he asserts that a breach or incident now becomes a far more significant event for a business. He says: “10% loss of customers is hard to deal with. Losing six of your top customers is catastrophic.”
Ultimately, for any business to thrive and ensure they aren’t caught unaware, preparing for the very worst – at all times – is essential.
“There is a perfect storm coming,” he says. “If business owners can realise that this cyber security is a peril that can occur at any time within the next year then the business has to make the case to address the security shortfall. The ICO has been unforgiving if efforts to secure customer data has not been significant.”