The importance of Cyber Security(analytical report)
The Importance of Cyber Security – Analytical Report
Letter of Transmittal
To whom it may concern,
Please find attached the final report titled, The Importance of Cyber Security – Analytical Report as previously commissioned.
The report focuses on cyber security challenges that face small- and mid-sized enterprises (SMEs). Through secondary research analysis it delves into the nature of these challenges, causes of the problems, and proposes potential solutions suited for SMEs.
It is my hope that this report will guide management decisions made by SMEs in a bid to help them combat cyber security threats.
The report analyzes the importance of cyber security by focusing on the threats to small and medium enterprises (SMEs). Secondary research identifies that these organizations are the preferred targets for most attacks. Their level of dependence on technology matches that of large enterprises but their security protocols do not. Research conducted showed that SMEs have weak cyber security protocols that are often exploited by cyber criminals in opportunistic attacks. The attacks range from technical ones such as malware infection to nontechnical ones such as social engineering. The report then proposes a number of solutions for SMEs that can be used to neutralize cyber security threats. The cyber security protocol adopted by SMEs depends on three crucial factors – the level of risk, the nature of the threats, and the cyber security budget. Technical solutions identified in the report include the use of firewalls, consistent software updates, and the use of layered security. Nontechnical solutions identified in the report include employee education and training. SMEs ought to adopt Acceptable Use Policies and Internet Security Policies.
Keywords: cybercrime, cyber security, small- and medium sized enterprises, computer crimes
Table of Contents
TOC o “1-3” h z u Understanding Cyber Security PAGEREF _Toc437348858 h 6Defining an SME PAGEREF _Toc437348859 h 9SMEs –The new target PAGEREF _Toc437348860 h 11Why most SMEs are sitting ducks PAGEREF _Toc437348861 h 15Facets of Cyber Security Threats PAGEREF _Toc437348862 h 18Proposed Solutions PAGEREF _Toc437348863 h 22Conclusion PAGEREF _Toc437348864 h 26Works Cited PAGEREF _Toc437348865 h 27List of Figures TOC h z c “Figure” Figure 1 Cyber Incident Count in SMEs PAGEREF _Toc437348934 h 5Figure 2 SME Definition from Multilateral Organizations PAGEREF _Toc437348935 h 10Figure 3 Cyber Event Count over Time for Enterprises with Less than $350M in Revenue PAGEREF _Toc437348936 h 13Figure 4 SMEs at risk grouped according to Industry PAGEREF _Toc437348937 h 16Figure 5 Cyber Security Reports grouped by Revenue Range PAGEREF _Toc437348938 h 18Figure 6 Types of Cyber Security Threats PAGEREF _Toc437348939 h 19
Organizations, whether business-oriented, non-profits, or otherwise, all rely on technology to facilitate their everyday operations. The advent of the information age has revolutionized every aspect of our lives. It has changed the way we do business, how we socialize, and how we entertain ourselves. It is evident that technology has become an integral part of human life. There is a constant need to stay connected to our homes and our workplaces. This need to stay connected has been recently recognized as a fundamental human right according to a UN report. The report argued that disconnecting an individual from the Internet limits their freedoms of expression and association among other fundamental rights and freedoms (Kravets 4).
The move by the UN is indicative of the importance of, not only the internet but also technology in general. However, the increase in technological dependence has also resulted in increased computer crimes. Such crimes are also commonly referred to as cyber crimes. They are criminal activities performed using information technology (IT) infrastructure such as computers, a network, or the Internet. The motives of these criminals vary. Some are directed towards individuals and others towards an organization. The consequences of an attack could cripple an organization especially one that is heavily reliant on its IT infrastructure for its operations
Large corporate organizations usually have robust cyber security mechanisms in place to handle these threats. They were traditionally the preferred targets for most cyber criminals. However, the trend is shifting recently. Small- and medium-sized enterprises (SMEs) have become a more convenient target for cyber criminals. The main reason for this shift is that most SMEs are still high-value targets like large companies but lacking the proper cyber security mechanisms.
Figure 1 Cyber Incident Count in SMEsThis paper analyzes the issue of cyber security and asserts its importance. After examining the issue from a general perspective, it is necessary that the issue be considered from an SME perspective. To do so, one has first to understand the legal definition of an SME according to various jurisdictions. The next section then delves into the different types of cyber security threats and how they affect an organization’s operations. It also examines some proposed solutions and how appropriate they are for SMEs. Before drawing the final conclusions, the paper examines some constraints on cyber security while focusing on SMEs. This report is meant for individuals in IT managerial positions, especially in SMEs. It should serve as a guide for these individuals to better protect their organization’s IT infrastructure from cyber security threats.
Understanding Cyber SecurityTo understand cyber security, it is crucial that one first understand cybercrimes and the extent to which it affects organizations and the global economy at large. Cyber crimes are criminal activities that involve the use of IT infrastructures such as computers, networks, or the Internet. The infrastructure can either be a tool or target for these attacks (Aghatise 3). In some cases, it can be used as both. For instance, hackers who use unscrupulous methods to gain unauthorized access use the technology as a tool. On the other hand, virus attacks target the said technology. In cases such as hacking in a bid to install a virus on a remote server, the two are interconnected. Also, some cybercrime activities are not technological. An example is social engineering. In this case, the criminal befriends the potential victim on various social networking platforms in a bid to get them to reveal sensitive information that would compromise their cyber security or that of an organization that they are affiliated with. It is important to understand not only the meaning of cybercrime but also its various facets. In doing so, one can then adopt the appropriate solutions based on the threats the organization is facing. Technological cybercrime threats require technological cyber security measures while non-technological threats such as social engineering require non-technological solutions.
Cyber security is a collective term used to refer to measures put in place to ensure protection from cyber security threats and cyber-criminal activities. These measures are usually a combination of technologies and practices. When mentioned in a computing context the term cyber security is sometimes shortened to security for convenience (Hansen and Nissenbaum 1156).
There are five primary aspects of cyber security. The first is application security that is focused solely on ensuring that applications are protected from any external threat. This aspect of cyber security is becoming increasingly important especially since most applications do not only run locally but connect to the Internet. This connection leaves them prone to attacks. Therefore, applications should also have their own line of defense that complements system defense mechanisms. Application security is usually an integral part of the application development process. Cyber security can also be looked at in terms of information security. It refers to protecting an individual’s or organization’s information from unauthorized access. Many organizations continue to adopt emerging technologies such as cloud computing that involves remote storage of information and applications. Despite its numerous advantages, cloud computing presents new challenges to organizations that are looking to ensure information security. The third aspect of cyber security is network security that involves securing an organization’s network infrastructure from intrusion. Cyber security also involves enacting disaster recovery protocols. These are clearly defined steps that an organization is to follow in case of a cyber-attack. Disaster recovery protocols also include damage control activities. The final aspect of cyber security is educating the end-user. This aspect focuses on the user of the IT infrastructure. Improper usage could compromise the security of either the applications, information, or the network. Potential end-users in an organization are its employees. The organization ought to have appropriate policies regarding the use of its IT infrastructure. For instance, every organization ought to have an Acceptable Use Policy and an Internet Security Policy. The details and relevance of these documents are discussed in the proposed solutions section. Their employees should follow the provided guidelines to the letter.
According to a think tank in Washington, cybercrime activities and economic espionage cost the world economy a tune of 445 billion USD every year. This cost is about 1% of the global annual income (Nakashima and Peterson 4). These glaring statistics put cybercrime activities within the ranks of drug trafficking in terms of the damage done to the global annual income. The Center for Strategic and International Studies (CSIS) report revealed that the most technologically advanced countries are the most technologically dependent ones. Their organizations, large or small, all depend heavily on IT infrastructure to carry out their daily operations. Consequently, they are more prone to attacks. The countries whose organizations, businesses, and governments were most affected include the US, China, and Germany. Collectively, these three nations accounted for 200 million USD total of the 2013 estimate provided by the CSIS. The loss estimated by the CSIS falls short of another estimate made by the US federal government that stood at an astounding 1 trillion USD (Nakashima and Peterson 4). These glaring statistics show the grave impact of cybercrime on the world economy.
In organizations, the costs incurred are either directly or indirectly linked to these cyber-criminal activities. The direct costs incurred include loss of intellectual property as a result of hacks, damages to IT infrastructure due to malware attacks, and the compromising of sensitive organization information. Indirect losses include losses incurred due to recovery mechanisms put in place, disruption of the organization’s operations which results in financial losses, and the damage caused to the reputation of the attacked organization (Center for Strategic and International Studies 4). For instance, clients would evidently shy away from a financial institution whose security protocols have been compromised. Lack of customers then hurt the organization financially.
The Intel-sponsored report by the CSIS also adds that most cases of cybercrime often go unreported and unaccounted for. Mainstream media tends to cover large-scale attacks on large corporations. Attacks on small- and medium-sized enterprises are left in the dark. As a result, the CSIS asserts that the impact of cybercrime on the global economy is much higher is research factors in SMEs. The threat on SMEs is a unique one because little to no attention is paid to these threats and attacks on such organizations. The large corporations get all the media coverage, and these minor attacks are left unmentioned. It is for this reason that this paper examines cyber security and its importance while focusing on the plight of SMEs.
The research conducted by the CSIS, the US Federal Government, and Intel Security – McAfee is indicative of the extent to which cybercrime activities affect the global economy and the individual organizations targeted. The financial losses documented are alarming. Additionally, this research suggests that attacks on SMEs are not reported as equally as those on large enterprises. As a result, SMEs have become an unsuspecting target for cyber-criminals. It is important that they are equipped with the right tools to protect them from these criminals. The next section of the paper defines an SME according to various jurisdictions and highlights the potential cyber security threats such enterprises face.
Defining an SME There are two ways of defining an SME. The first method of categorizing such enterprises involves looking at the number of employees in an organization. The other method is in terms of the organization finances such as annual revenue, organization budget, and value of the organization’s assets. However, according to Gibson and Van der Vaart (2008), a business’ volume of turnover is the most appropriate way of categorizing enterprises according to their size. The other traditionally used parameters such as the number of employees and asset volume often result in divergent definitions.
Different regions in the world have varying definitions of an SME with reference to the maximum number of employees. Most of the definitions also incorporate micro enterprises. According to the EU’s definition, a microenterprise is one that has a maximum of 10 employees. A small-sized enterprise is one that has up to 50 employees while a medium-sized enterprise has 250 employees maximum (European Commission 5). Other multilateral organizations offer collective definitions from micro-, small- and medium-sized enterprises. The World Bank’s definition states that, and SME is an organization with a maximum of 300 employees. On the other hand, the United Nations Development Programme (UNDP) has set a maximum of 200 employees for an enterprise to be considered an SME (Gibson and Van der Vaart 5). When defining an SME with reference to the maximum number of employees, the definitions from these multilateral organizations vary slightly. In all these definitions, the expected number of employees for an SME falls within the same ballpark, give or take 50 employees in most cases.
It is also important that one examines the definition of an SME according to an organization’s finances. The World Bank defines a small or mid-sized enterprise as one with 15 million US in maximum revenues and maximum assets. The African Development Bank, on the other hand, states that an SME ought to have a maximum turnover of 3 million USD. The African Development Bank does not provide a figure for the maximum assets required (Gibson and Van der Vaart 5).
Figure 2 SME Definition from Multilateral OrganizationsSuch huge differences make it even more difficult to obtain a unified definition of an SME that technological experts can use to assess the impact of cybercrime on such enterprises. It also makes it difficult to develop solutions tailored to suit such organizations. The solutions offered ought to take into account the annual revenue and expenditure allocated to ensuring cyber security. Additionally, the number of employees influences the organization-wide policies adopted to protect its IT infrastructure. These policies include the aforementioned Acceptable Use Policy and Internet Security Policy. It is for this reason that specific countries have laid out their recommended cyber security defense protocols for SMEs. These protocols may vary due to the varying definition of SMEs in different jurisdictions. Examples of such countries include Australia, the US, and the UK. Consequently, a security protocol adopted by an SME in the US may not work for an SME in Australia because it is not economically feasible. In light of this, the solutions proposed in this report are as general as possible. In so doing, SMEs from different countries can use them to counter their cyber security threats.
The next section of the report examines SMEs as the new target for cyber criminals. By drawing from secondary research conducted, the report identifies a shifting trend, one in which SMEs and not large enterprises are the primary target for cyber criminals.
SMEs –The new targetThe traditional target for most cyber criminals has been large corporations. However, the price of technology has reduced significantly in recent times and even small- and medium-sized organizations can afford IT infrastructures that enable then to run their operations effectively in the modern-day tech-oriented business world. Consequently, SMEs have become the new target for most cyber criminals as shown by the following research.
An investigation conducted by Verizon Communications revealed that 72% of all data breaches examined for the year 2011 were aimed at SMEs. In this case, Verizon carried out its investigation while maintaining that an SME is an organization with a maximum of 100 employees (McAfee Security 1). Evidently this assumed definition by Verizon Communications left out a significant number of organizations according to some other definitions. Incorporating these numbers into the research conducted by Verizon would most likely indicate that the number of SMEs breached in 2011 was much higher. Additionally, the report highlighted the fact that most cyber security attacks on SMEs are not covered as comprehensively by media outlets as attacks on large corporations such as Apple, Amazon, or Citibank breaches (McAfee Security 1).
A separate report by Symantec on Internet Security Threats in 2014 revealed a similar change in targeted organizations. According to the report by Symantec, SMEs accounted for over half of the total cyber security attacks in 2013. The report estimated that about 61% of the attacks were aimed at SMEs (Advisen Ltd 3). This share was an 11% increase from the previous year. Another study mandated and conducted by the National Cyber Security Alliance, also suggests that SMEs are becoming the preferred target for cyber criminals. The study conducted focused solely on small businesses and the number of annual attacks aimed at such businesses. The results showed that at least 20% of small businesses fall victims of various cyber-attacks.
Figure 3 Cyber Event Count over Time for Enterprises with Less than $350M in RevenueIt is also important to note that the attacks on SMEs are often opportunistic attacks. These attacks are not premeditated. The target organization is not chosen but identified at random, and an attack launched on its IT infrastructure. This identification is usually because of some flaws in its cyber security defense mechanisms. The attacker simply searches for an organization with flaws that they can exploit. However, in the case of large enterprises the attacks are usually premeditated. The attacker choice of the target is not opportunistic because it is not based on the security flaws of the organization. Instead, in this case, the attacker finds flaws in the cyber security defense mechanisms set up by the organization. A 2012 report by Verizon confirms that most of the attacks on SMEs are opportunistic attacks. According to the report on Data Breach Investigation, about 85% of the attacks on SMEs were attacks of opportunity (Advisen Ltd 4). It is in the remaining 15% that the attacker chooses the victim in a premeditated attack. It is also important to note that the Verizon study and report defines and SME as an organization with a maximum of 1,000 employees (Advisen Ltd 4). This huge difference in definitions used by organizations conducting cyber security research raises concerns about the consistency of the results obtained and the appropriateness of the solutions proposed.
Another survey conducted in Australia also shows that SMEs have become the convenient target for most cyber criminals. The survey, titled the ABACUS survey, employed quantitative research methods. Researchers carried out an extensive evaluation of 4,000 participants. Of these four thousand, 3,290 (over 80%), were small enterprises (Hutchings 2). However, judging by the number of small businesses in Australia the research established that these businesses were under-represented. This is despite the fact that they accounted for the lion’s share of the total number of participants. The ABACUS survey revealed that a majority of SMEs have adopted technology and IT infrastructure. Most of the businesses were found to be using personal computers and laptops alongside either a Local Area Network (LAN), a Virtual Private Network (VPN), or a Wide Area Network (WAN) for larger businesses (Hutchings 2). These observations show that small businesses continue to rely heavily on technology and IT infrastructure to facilitate their core operations. The survey showed that cyber security attacks aimed at SMEs occurred in all sectors. These indiscriminate attacks confirm the opportunistic nature of attacks on SME as revealed by the Verizon report. Additionally, it means that no SME is safe and that securing their IT infrastructure should be among the business’ top priorities.
The ABACUS survey also examined the types of computer security incidents reported by the 4,000 participants. The most common type of attack recorded was the corruption of computer software and/or hardware (Hutchings 2). Such attacks are the most prominent ones and affect the organization’s operation adversely. Other minor computer security incidents reported include website defacement and theft or loss of hardware (Hutchings 2).
These surveys, studies, and researches conducted all show that SMEs have become a more preferred target for cyber criminals. As a result, these businesses and organization should look to invest heavily in cyber security mechanisms to protect themselves from this growing threat. It is also important to note the reason as to why these types of businesses are preferred target. This is the primary focus of the next section. It highlights some characteristics of SMEs that make them more convenient targets as compared to large enterprises. Doing so is the first step in finding lasting solutions to the cyber security threats that SMEs face.
Why most SMEs are sitting ducks This section discusses the primary factors that make SMEs the preferred targets for most cyber criminals. The first evident reason is the lack of robust cyber security protocols. This factor makes most SMEs vulnerable to attacks. As a result, most attacks on SMEs are opportunistic ones in which the attacker identifies their victim organization based on the flaws in their security protocols. Despite the lack of robust security systems, hackers can still gain tremendously from exploiting the data stored in SMEs IT infrastructure.
Figure 4 SMEs at risk grouped according to IndustryIn most cases, the lack of robust security stems from the lack of adequate funds to cater for the cost of securing their IT infrastructure. SMEs often outsource IT facilities and its security from a third-party vendor and service provider. These outsourcing options are cheaper but do not guarantee security because most service providers are not keen to secure their client’s systems. A research conducted by the Ponemon Institute studied the security budgets of up to 5,000 small and mid-sized enterprises. According to the results of this research, over 50% of the enterprises studied were found to lack an adequate security budget (Advisen Ltd 5). The study was conducted on the premise that an SME is an enterprise with a maximum of 100 employees. The appropriateness of the security budget allocated depends on the nature of the enterprise’s operations and the size of the enterprise. The security budget ought to match the level of cyber security risk.
Apart from the lack of adequate funds to put up a robust defense mechanisms, lack of information also makes SMEs convenient targets for cyber criminals. Research suggests that most SMEs are unaware of the cyber-criminal threats they face. They are oblivious to the danger of being heavily reliant on technology. As a result, they are reluctant to spend on security protocols for their enterprises. According to a study mandated by the UK Government and carried out by the Cyber Streetwise Campaign, 66% of all SME management interviewed declared that they did not consider their organizations to be at risk. Only 16% of the respondents stated that improving their cyber security protocols was a top priority for their organization in 2015 (GOV.UK 3). These statistics show that top level management in most SMEs are unaware of the growing threat that their organizations face. This could be due to the lack of sufficient media coverage of attacks on SMEs. The media mostly reports cyber security breaches affecting large enterprises. Consequently, most SMEs do not know that they are also a potential target.
As a result, they do not put in place cyber security protocols because they are unaware of the immediate threat. This assertion is backed by research conducted by the National Cyber Security Alliance. The research reviewed the cyber security protocols of over 800 SMEs. It was established that 87% of these SMEs lacked a formal Internet Security Policy while 69% of the 800 SMEs lacked an informal Internet Security Policy (Advisen Ltd 5). These numbers show that SME managers do not consider themselves a target due to lack of information. Documents such as this report should serve as a wakeup call for SMEs. The research conducted clearly show that SMEs are the new target. Instead of being penny pinchers and trying to cut on security budgets, SMEs should seek to improve their cyber security protocols to better protect themselves from the growing external threat.
Figure 5 Cyber Security Reports grouped by Revenue RangeAfter examining the threat against SMEs, it is paramount that one also delves into the facets of cyber security threats. The next section of the report examines these threats in detail and categorizes them according to their nature. Understanding the threat is part of the process of finding solutions because different types of cyber security threats require different solutions.
Facets of Cyber Security Threats Cyber security threat come in two main categories, technical and nontechnical threats. Technical threats are one that require a certain level of expertise to compromise the set cyber security protocols. These include hacking, phishing, and malware attacks among others. Non-technical threats do not require any expertise. Examples include social engineering and improper use of the Internet. The solutions proposed should be in line with the threats faces.
Figure 6 Types of Cyber Security Threats Many of the SMEs that are reliant on technology to facilitate their operations are often connected to the Internet. The Internet is a gateway to an endless world of information. To SMEs and other businesses, it is a platform through which they can interact with potential clients, market their products and services to a vast consumer base, and carry out transactions with them online. The numerous advantages of this platform cannot be overlooked. However, the major drawback is that it exposes its users to the largest and most dangerous cyber security threat, malware. Malware is a generic term used to refer to any software or piece of code written with malicious intent. This software comes in various forms. The most common ones are Trojans, keyloggers, viruses, worms, and spyware (Hutchings 2). Each string of malware poses a different threat to an organization’s IT infrastructure. For instance, worms are self-replicating programs. They clog up system memory resulting in ultimate failure. On the other hand, spyware refers to malware programs that monitor activity on a computer and network. They are used by hackers for eavesdropping because the information they intercept is sent back to them. Such programs can compromise information security. Other forms of malware such as ransomware are used for extortion. Ransomware is an emerging type of malware that encrypts system data and files rendering machines useless until a certain amount is paid through a predetermined payment method (Hutchings 2). Creators of ransomware often prefer cryptocurrency methods such as Bitcoin because they are virtually untraceable. In most cases, the system is not restored even after payment is made.
Apart from malware, SMEs are also prone to phishing and spear phishing attacks. These are attacks in which one pretends to be a legitimate company in an attempt to obtain sensitive information from the potential victim. The attacker contacts the potential victim mostly through email. They are then redirected to a bogus website where they are prompted to enter their personal information. Spear phishing is a more coordinated from of phishing attacks. It is aimed at a specific organization. The attacker targets the organization by targeting some of its top management or a group of employees. The goal of spear phishing attacks is to gain access to sensitive company data. For instance, the attackers may pose as a company that the organization often does business with such as a supplier. From this position, the attacker can the access the organization’s internal data. Phishing attacks are some of the most common ones in SMEs. According to the ABACUS survey, 24% of the SMEs studied reported to have been victims of phishing attacks (Hutchings 3). An organization such as an SME can fall victim to phishing in two ways. The first and most common one is when the phishing attack targets the organization and ends up compromising their cyber security protocols. The second way is when an organization is fraudulently represented in a phishing attack. Fraudulent representation could hurt an organization’s reputation and its business.
Another common technical cyber security threat is the Denial of Service (DoS) attacks. These attacks are facilitated by a special type of malware called botware. These attacks are usually severe and can cripple an organization’s entire IT infrastructure within minutes of launch. A botware is a malware program that can be controlled from the attacker’s remote location. In doing so, the attacker can use the program as an entry point into an organization’s IT infrastructure to facilitate other attacks. DoS attacks result in shutting down of an organizations network and other parts of its IT infrastructure. An example of a method of launching a DoS attack is by sending out immense volumes of traffic on an organization’s network through the installed botware. Due to the traffic, facilities such as websites become inaccessible. The organization cannot service its users until the systems are back up. Additionally, DoS attacks can be used to target hardware and software. For instance, botware programs can be instructed to cause fluctuations in power resulting in widespread damage to hardware. Even though DoS attacks are not common in SMEs, they are also not nonexistent. The ABACUS survey revealed that 4% of the SMEs studied had experienced DoS attacks in between 2006 and 2007 (Hutchings 3). The survey also established four primary reasons for DoS attacks on SMEs. These reasons include extortion, protest, competition, and revenge (Hutching 3). Businesses may attack their competitors in an attempt to hurt their operation. A fired employee could launch a DoS attack on their former employers due to revenge. Frustrated customers have also been known to execute similar attacks in protest of certain business practices they do not agree with. Lastly, most DoS attacks on SMEs result in extortion followed by threats of a larger attack if the organization does not pay up.
Apart from technical attacks, it is necessary that SMEs protect themselves from nontechnical attacks as well. The most common type of nontechnical threats that SMEs face is social engineering. Social engineering is an art of luring people in and manipulating them so that they give up some confidential information (Goodchild 4). The attacker exploits an individual’s natural inclination to trust others. The information sought by these attackers is mostly financial information such as credit card information and passwords. Social engineering attacks have become increasingly common with the advent of social media and other online interaction platforms. Like spear phishing, these attacks can be aimed at a group of individuals from an organization. Such coordinated attacks can compromise an organization’s data by using their employees as bait. The ABACUS survey also revealed other minor threats to SMEs such as online fraud, compromised websites, and wireless internet vulnerabilities.
SMEs need to protect their organization from all manners of cyber security threats whether technical, nontechnical, or otherwise. There is the need for an all rounded cyber security protocol that addresses all these threats. The next section of the report examines the solutions to the threats identified.
Proposed Solutions KPMG, an auditing, and advisory firm published a paper in 2014 in which it outlines the three areas that must be covered to minimize the risks posed by cyber security threats. These three areas are prevention, detection, and response (Barlock, Buffomante and Rica 3). Prevention involves putting up measures within an organization that will help deal with cyber security threats. Apart from doing so, prevention requires that all staff members in an organization be informed about the dangers of cybersecurity. Detection is the second step towards enacting an iron clad cyber security protocol. It involves monitoring activities that will help those in charge of cyber security in an organization take note of suspicious activities. The organization can thus be proactive in its fight against cybercrime. In so doing, the organization’s cyber security team can neutralize threats before they impact its operations. In case an attack occurs unmonitored, the organization ought to have adequate measures in place to facilitate efficient response. The response plan adopted should deal with the immediate threat and incorporate damage control mechanisms. Finally, the response plan ought to ensure that such an attack does not occur in future.
The aforementioned solutions provide a general guideline for developing a comprehensive cyber security protocol. However, it is necessary that one examines the solutions in detail to provide specific solutions to specific threats. Hutchings proposes a number of solutions that SMEs can adopt as they fight the growing cybersecurity threat. The solutions correspond to a specific threat as identified by the ABACUS survey.
The first solution proposed is security patches. SMEs use a variety of software packages most of which connect to the Internet. If these programs are not updated regularly, their application security defense mechanisms could be outdated. It is, therefore, necessary that SMEs download and install security patches, especially for programs that require Internet connectivity for full functionality. In so doing, these programs become less susceptible to malware attacks as compared to their older versions. Application security is an important aspect of cyber security. Downloading and installing security patches should be a regular practice for all SMEs. Additionally, Hutchings proposes that these patches be installed and tested on a trial machine before being adopted to all systems in the organization. This proposition is based on the fact that many updates may contain bugs that may have not yet been discovered. Once an update is declared fit for use, it can then be installed on all machines within the organization.
Apart from ensuring application security, SMEs also need to unsure network security. Connection to the Internet can be secured through the use of firewalls. This method is cost effective making it appropriate for SMEs. It will not eat into their cyber security budget. According to the ABACUS survey, a total of 70% of the SMEs studied used firewalls to secure their network (Hutchings 4). Additionally, hardware firewalls such as routers can be used to segment a network and limit traffic. Firewalls also protect systems connected to the Internet from unauthorized access and malware infection.
SMEs should also seek to embrace layered security mechanisms as an additional line of defense. Modern day malware threats are evolving. Attackers design them to bypass traditional antimalware programs. As a result, most cyber security analysts propose that organizations adopt a layered security package. These software packages use a series of defenses with the goal of slowing down and eventually stopping an attacker. It is a concept borrowed from the military. This emerging cyber security concept is sometimes termed as layered defense or defense in depth. Layered security software packages are usually formed by a combination of applications working collaboratively. Each of these applications is geared towards protecting all potential entry points an attacker could use. Antimalware applications protect the organization’s IT infrastructure from malware infection. Firewall applications protect the network from unauthorized entry. Layered security software packages might also include and anti-spam application and a privacy control application (Hutchings 4). These applications, when purchased from different vendors under different licenses, might be too expensive for most SMEs. As a result, they end up acquiring some of the applications. However, software packages such as the McAfee Endpoint Protection Suite and the Norton Internet Security Suite, make it cheaper for SMEs because they feature all the necessary applications purchased under one license from a single vendor. Doing so cuts down on cost that is a huge determining factor for SMEs as far as cyber security is concerned.
These technical solutions ought to be complemented with nontechnical ones in a bid to fend off nontechnical attacks such as social engineering. Hutchings proposes that SMEs ought to adopt appropriate staff policies and keep their employees informed about the various cyber security threats that the organization faces (Hutchings 7). These awareness and training exercises should focus on the role of the employee in maintaining cyber security within an organization. An example of such a staff policy is the Acceptable Use Policy. This is a legally binding document that outlines how an organization’s IT infrastructure ought to be used by its employees (Hutchings 7). It outlines what falls under acceptable use and nonacceptable use. It also provides employees with appropriate channels for reporting cases of nonacceptable use. Acceptable Use Policies also contain consequences of nonacceptable use that range from dismissal to prosecution. Internet Security Policies address all the cyber security threats that employees are exposed to when connected to the Internet. Issues such as proper usage of social media and how to handle social engineering cases are covered in the Internet Security Policy. According to the ABACUS survey, only 7% of the SMEs studied were found to have an Acceptable Use Policy and an Internet Security Policy (Hutchings 7). Not having these documents in place and not educating the staff on the various cyber security threats is a major flaw in an organization’s cyber security protocol.
When combating cyber security threats, KMPG suggests that every SME ought to ask three critical questions before setting up a cyber security protocol. The first question seeks to establish the level of risk associated with the organization and the industry it operates in. The next question involves analyzing legislation and the organization’s culture in an attempt to enact a cyber security protocol that suites these two factors. The final factor that determines an SME’s cyber security protocol is its budget. Based on the risk level, legislation, and organization operations, the SME can then enact a cyber security protocol that is within its budget. SMEs are businesses that are in their formative years. Therefore, it is important that they do not spend too much on security because of their limited financial resources. Additionally, they should not limit their security budget so much that it leaves the organization’s IT infrastructure vulnerable to attacks.
ConclusionIn the modern day business world, almost all enterprise operations rely on technology. The heavy dependence on technology for business operations has also resulted in the increase of cybercrime activities. Businesses have been targeted by cyber criminals. Small and mid-sized enterprises are the most vulnerable types of organizations because of their limited cyber security budgets. Additionally, most SMEs are unaware of the cyber security threats that they face making them even more susceptible to attacks. Even though various jurisdictions have divergent definitions of SMEs, the threats identified are similar. The solutions adopted by SMEs depend on the nature of the threat, the level of risk, and the cyber security budget. Technical solutions include layered security, firewalls, and constant software updates. Nontechnical solutions include organization-wide policies and staff sensitization and training. SMEs should also approach cyber security from a holistic perspective by incorporating prevention, monitoring, and response mechanisms.
Works Cited BIBLIOGRAPHY l 1033 Advisen Ltd. Cyber Exposures of Small and Mid-Sized Business – A digital pandemic. White Paper. Hartford: The Hartford, 2014. Print.
Aghatise, Joseph E. “Cybercrime Definition.” 28 June 2006. Computer Crime Research Center. Web. 30 November 2015.
Barlock, Steve, Tony Buffomante and Fred Rica. “Cyber security: it’s not just about technology.” White Paper. 2014. Print.
Center fro Strategic and Internaional Studies. “Net Losses: Estimating the Global Cost of Cybercrime.” Financial Report. 2014. Print.
European Commission. “What is an SME?” 26 November 2015. European Commission. Web. 30 November 2015.
Gibson, T. and H. J. Van der Vaart. “A less imperfect way of defining small and medium enterprises in developing countries.” Brookings Global Economy and Development (2008): 1-29. Print .
Goodchild, Joan. “What is social engineering? What are the most common and current tactics? A guide on how to stop social engineering.” 20 December 2012. CSO Online. Web. 1 December 2015.
GOV.UK. “Cyber security ‘myths’ putting a third of SME revenue at risk.” 25 February 2015. GOV.UK. Web. December 1 2015.
Hansen, L. and H. Nissenbaum. “Digital disaster, cyber security, and the Copenhagen School.” International Studies Quarterly 53.4 (2009): 1155-1175. Print.
Hutchings, Alice. “Computer security threats faced by Small Businesses in Australia.” Trends and Issues in Criminal Justice 433 (2012): 1-6. Print.
Kravets, David. “U.N. Report Declares Internet Access a Human Right.” 3 June 2011. WIRED. Web. 30 November 2015.
McAfee Security. “Combating Small Business Security Threats: How SMBs Can Fight Cybercrime.” White Paper. 2015. Print.
Nakashima, Ellen and Andrea Peterson. “Report: Cybercrime and espionage costs $445 billion annually.” 9 June 2014. The Washington Post. Web. 30 November 2015.