Small and medium-sized businesses across New Zealand remain exposed to the rising tide of security attacks impacting the market, with many unprepared to handle an all-out cyber breach.
Despite the big name hacks dominating the news - think Sony Pictures, Staples, Home Depot and Target to name a few - attacks on smaller organisations are increasing both at home and overseas, and stand to potentially impact 97 percent of all New Zealand enterprises.
To be precise that’s 459,300 businesses from the top of the North Island to the bottom of the South, incorporating zero (no employees), micro (1-5 employees) and small (6-19 employees) enterprises.
“Many SMBs are keeping their head in the sand, but any computer is a target, if for nothing else, the computer power or to hold for ransom,” says John-Paul Sikking, Head of Security, Cisco New Zealand.
“Also in recent years we’ve seen attacks on small business as a stepping-stone to a much larger target.”
Weak Link?
Sikking’s comments are in line with the recently released Cisco 2016 Annual Security Report, which cites SMBs as a potential “weak link” in the security chain.
As more enterprises look closely at their supply chain and small business partnerships, they are finding that these organisations use fewer threat defence tools and processes.
But perhaps crucially, SMBs’ view of their businesses as targets of cybercriminals may demonstrate a gap in their perception of the threat landscape.
As illustrated in the report, 22 percent of businesses with fewer than 500 employees do not have an executive with direct responsibility and accountability for security because they do not view themselves as high-value targets.
While the report officially classes SMBs are 250-499 people - which is large for New Zealand - Sikking believes the overriding point applies to smaller Kiwi businesses.
“Across the board, these SMB organisations have less confidence in securing their organisations and they report using less tools and processes to defend their networks,” Sikking adds.
“It’s impossible to say what is the right percentage or amount of money to spend, however security spending should be commensurate with the value of the asset that is being protected.
“In New Zealand I think that organisations, especially SMBs, are a little light on managing the risks to their organisations.
“There remains a mind-set that “we are not a target” and we are too small and too far away for an attacker to bother, which of course couldn’t be further from the truth - anyone connected to the Internet is a target.”
The report claims that 48 percent of SMBs in 2015 used web security, while 59 percent did the same 2014, while 29 percent used patching and con-figuration tools in 2015, compared with 39 percent in 2014.
In addition, of the SMB respondents that do not have an executive responsible for security, nearly one-quarter do not believe their businesses are high-value targets for online criminals.
Alluding back to Sikking’s earlier comments, such a belief hints at overconfidence in their business’s ability to thwart today’s sophisticated online attacks - or, more likely, that attacks will never happen to their business.
“Organisations continue to put their faith in the ‘god-box’ solution / snake-oil vendor, where if you just buy this appliance and all of your problems will go away,” Sikking adds.
“Cisco has the highest blocking of Malware efficacy in the market, yet we still promote a before, during and after approach to managing security because nothing is 100 percent secure.”