Computerworld

​EXCLUSIVE: Cisco tells Kiwi SMBs… You’re not too small to be attacked

“Many SMBs are keeping their head in the sand, but any computer is a target..."
John-Paul Sikking - Head of Security, Cisco New Zealand

John-Paul Sikking - Head of Security, Cisco New Zealand

Small and medium-sized businesses across New Zealand remain exposed to the rising tide of security attacks impacting the market, with many unprepared to handle an all-out cyber breach.

Despite the big name hacks dominating the news - think Sony Pictures, Staples, Home Depot and Target to name a few - attacks on smaller organisations are increasing both at home and overseas, and stand to potentially impact 97 percent of all New Zealand enterprises.

To be precise that’s 459,300 businesses from the top of the North Island to the bottom of the South, incorporating zero (no employees), micro (1-5 employees) and small (6-19 employees) enterprises.

“Many SMBs are keeping their head in the sand, but any computer is a target, if for nothing else, the computer power or to hold for ransom,” says John-Paul Sikking, Head of Security, Cisco New Zealand.

“Also in recent years we’ve seen attacks on small business as a stepping-stone to a much larger target.”

Weak Link?

Sikking’s comments are in line with the recently released Cisco 2016 Annual Security Report, which cites SMBs as a potential “weak link” in the security chain.

As more enterprises look closely at their supply chain and small business partnerships, they are finding that these organisations use fewer threat defence tools and processes.

But perhaps crucially, SMBs’ view of their businesses as targets of cybercriminals may demonstrate a gap in their perception of the threat landscape.

As illustrated in the report, 22 percent of businesses with fewer than 500 employees do not have an executive with direct responsibility and accountability for security because they do not view themselves as high-value targets.

While the report officially classes SMBs are 250-499 people - which is large for New Zealand - Sikking believes the overriding point applies to smaller Kiwi businesses.

“Across the board, these SMB organisations have less confidence in securing their organisations and they report using less tools and processes to defend their networks,” Sikking adds.

“It’s impossible to say what is the right percentage or amount of money to spend, however security spending should be commensurate with the value of the asset that is being protected.

“In New Zealand I think that organisations, especially SMBs, are a little light on managing the risks to their organisations.

“There remains a mind-set that “we are not a target” and we are too small and too far away for an attacker to bother, which of course couldn’t be further from the truth - anyone connected to the Internet is a target.”

The report claims that 48 percent of SMBs in 2015 used web security, while 59 percent did the same 2014, while 29 percent used patching and con-figuration tools in 2015, compared with 39 percent in 2014.

In addition, of the SMB respondents that do not have an executive responsible for security, nearly one-quarter do not believe their businesses are high-value targets for online criminals.

Alluding back to Sikking’s earlier comments, such a belief hints at overconfidence in their business’s ability to thwart today’s sophisticated online attacks - or, more likely, that attacks will never happen to their business.

“Organisations continue to put their faith in the ‘god-box’ solution / snake-oil vendor, where if you just buy this appliance and all of your problems will go away,” Sikking adds.

“Cisco has the highest blocking of Malware efficacy in the market, yet we still promote a before, during and after approach to managing security because nothing is 100 percent secure.”

Page Break

For SMBs in particular, the report claims that the biggest obstacles to better security practices include budget constraints (40 percent), compatibility issues with legacy systems (34 percent) and competition priorities (25 percent).

“SMBs continue to have less money to spend on security and this will only get worse,” Sikking adds.

“In New Zealand they usually don’t have an executive with direct responsibility for security and are unlikely to use external help for advice, monitoring and auditing.

“The flip side is that SMBs are moving to managed and cloud services, primarily for cost savings, but getting an added security benefit.”

Managed Services

As part of a trend to address the talent shortage, enterprises of all sizes - SMBs included - are realising the value of outsourcing services to balance their security portfolios.

According to the report, this includes consulting, security auditing and incident response.

SMBs, which often lack resources for an effective security posture, are improving their security approach, in part, by outsourcing, which is up to 23 percent in 2015 over 14 percent the previous year.

“New Zealand continues to box above our weight when it comes to embracing cloud and managed services,” Sikking adds.

John-Paul Sikking - Head of Security, Cisco New Zealand
John-Paul Sikking - Head of Security, Cisco New Zealand

“Often cost savings are the biggest driver, but there are many services where companies just don’t have the skills in-house and it makes sense to pay a third-party provider to manage the technology and provide a Service Level Agreement (SLA) along the way.

“Firewall, IPS and content security are three popular security tools that are trusted to third parties, of course, SMBs can outsource the management of technology, but not the accountability of securing your organisation.”

Ageing Infrastructure

At present, businesses continue to be up against security challenges that inhibit their ability to detect, mitigate and recover from common and professional cyberattacks.

In short, the report claims that ageing infrastructure and outdated organisational structure and practices are putting them at risk.

Between 2014 and 2015, the number of organisations using up-to-date security infrastructure dropped by 10 percent, with 92 percent of Internet devices currently running known vulnerabilities.

Delving deeper, the report shows that thirty-one percent of all devices analysed are no longer supported or maintained by the vendor.

“Ageing infrastructure is a symptom of a wider problem,” Sikking explains. “It shows up the immaturity in the processes organisations are using to maintain their systems.

“The fact that 92 percent of devices were running known vulnerabilities or not patched should be seen as a bellwether for all other systems, including the policies and rules used to secure the network (Firewall rules and IPS signatures), as well as the software, operating systems and hardware.”

In New Zealand, and reflective of global market trends, malware continues to be the biggest concern impacting enterprise, followed by phishing and Advanced Persistent Threats.

“This holds true for New Zealand,” Sikking adds.

“The biggest vulnerability, however, is not patching and maintaining our systems (firewall rules, IPS, applications, software, OS and even hardware) - relatively simple actions that could significantly reduce risk.”