"security breaches are inevitable …."
… as demonstrated by TalkTalk [TalkTalk customer details at risk, after yet another internet attack]. Granted, while protecting data is an important aspect of business life, too much time is spent on defending information infrastructures, and very little on managing a security breach, otherwise known as incident response. Little or limited resources are set aside to identifying the operational issues that need to be addressed in order to effectively implement an efficient incident handling capability.
Interestingly this very point was noted in a report commissioned by HM Government; ‘it is notable that there has been a lack of progress amongst small organizations in developing information security policies. Since 2012, there has been little change in the percentage of small organizations who have formally documented an information security policy but the trend in those organizations suffering a breach has increased over this same time.’
In the hectic and complex business world, with small businesses believing themselves to be secure, it is understandable that they have little regard for the identification of appropriate incident response services, policies, and procedures. They are a business, and there are other aspects of running a business that have greater urgency, so consequently no consideration is given to the nature and scope of an effective incident response – this can be very costly, especially if the business is unable to persuade current customers [and more importantly, potential customers] that their personal and financial details will be kept safe and private.
Given that small businesses feel that cyber security breaches to be a one-off event, then naturally very little consideration will be given to the business functions that make up the incident response service; how those functions interrelate; how they interact with other internal business functions; and the tools, procedures, and roles necessary to implement an effective response.
This was also noted in the same report commissioned by HM Government; two-thirds of those organizations that did suffer a data breach, did not take ‘the time to assess what happened, understand the causes and implement measures which would prevent breaches from recurring. Failure to perform a review and learn the lessons will most likely increase the chance of a recurrence.’ Again as demonstrated by TalkTalk, [TalkTalk customer details at risk, after yet another internet attack].
I suspect the normal reaction for the majority of UK businesses caught-up in a data breach, would look very similar to a rabbit caught in a car’s headlights; paralyzed by the media spotlight with no plan.
But businesses need a plan, and in a series of future blogs I will outline a simple and cost effective way of building an incident response plan.
Hi Chris, interesting you have different experiences of the SME market. I do see many technical challenges - for example I have yet to consult with an SME who had an effective centralized log management solution. And as sometimes the initial contact is after a breach, this is a pretty big deal - even without factoring the lack of protective monitoring that could enable. I also see essential security products purchased on the basis of price alone, due to the lack of experienced staff to differentiate on any other basis. So that creates exposures within areas such as endpoint protection. Cyber essentials isn't great. For your £300 you get a badge that says you self certified that you "mostly" have some basic controls in place at a point in time. It terms of reducing the chance of a breach, that's almost worthless. I'd agree there is a people issue at play. But this again comes back to a lack of expertise in the sector - which is a cost issue. Few SME's have dedicated security staff advising management and the board and those that do have to compete with larger companies for the best staff. I work with a lot of SME's as my day rates are much cheaper than the average for the services I offer. But good advice at a SME friendly budget is thin on the ground.
SME's often baulk at the cost of security. It can be very expensive to get the right expertise and infrastructure in place. The lack of a sufficient talent pool is also an issue, as the better staff will follow the higher wages paid by large companies. The prices for technology and consultancy that larger firms will pay also skews the costs for smaller firms. So for many reasons, it's easy to beat up on SME's for not taking security seriously but there are other factors at play than wilful ignorance. The problem in the UK is that there is very little stratification in the market (consultancy fees are pretty much fixed) and so few consultants who understand what a proportionate response looks like.