One particular threat vector on a steep incline is small businesses being subjected to increasingly frequent cyber attacks. This activity is exponential in scale, but why target a small business ? Are Managed Service Providers doing enough to help bolster the necessary knowledge within their client base to reduce the risk of cyber attack ?
Small businesses tend to be niche, and often successful within their chosen industry. Most small businesses keep their headcount low in order to maximise profitability, therefore, only employing the staff they require for the business to function. By definition, budgets for cyber security are either significantly smaller, or in some cases, non existent. This creates a dramatic void in terms of the security on offer, and allows a cyber criminal to take full advantage of any weaknesses that arise as a result.
Small business IT models
Small businesses often make use of IT “boutiques” or “Managed service providers” (MSP) to provide them with the technology they need in order to perform their business functions. However (and I’ve seen this time and time again in my career), the solutions provided are either complete overkill and suffer from poor configuration, or are generally not fit for the purpose that was originally intended.
It’s not my intention to discredit anyone in this article, but small businesses tend to be low yield when it comes to constant business requirements (and by definition, revenue stream) from a technology perspective. From the sales perspective, service providers are all too aware of this, and will often provide a basic service agreement in the form of either “time and materials” or a set amount of hours per month that covers the equipment itself – but not much else outside of that – particularly any ongoing security program.
Whilst service providers are usually an ideal fit for a small business, they do not address the ongoing issue of cyber security, and the threat it presents on a daily basis. Similarly, small businesses will not normally employ a CISO as they are too small. Additionally, there will be no onsite IT presence, as from the small business perspective, this is an overhead, and not necessary – small businesses would much rather focus on running their business. Instead, small businesses often adopt the approach of a designated member of their team managing the relationship between the business and the service provider. For a variety of reasons, this is a recipe for failure from both a business and security standpoint.
Who manages the Service Provider ?
The key point here is Governance, with the main problem being that the designated individual will usually wear multiple hats, and is often non-technical. This makes the implementation of any technical solution questionable in the sense of it’s suitability for the purpose it was deployed for, and ultimately boils down to nothing more than trust on the part of the small business. Unfortunately, it is often the case that systems and solutions are implemented with no formal training or support going forward. At this point, the service provider has satisfied the immediate criteria, but what happens going forward in terms of updates, maintenance, and support ?
These key areas are often disregarded by small businesses looking to reduce costs. The misconception here is that the system can run by itself without any need for intervention. I’ve seen various incarnations of service providers over the years, and also dealt with one that only patched the servers, and not the desktops – in fact, the servers were patched remotely without any testing beforehand. When it comes to security, I prefer to work inside out. In other words, I see desktop machines with users as a much higher risk of vulnerability and / or compromise than servers themselves – mainly attributed to social engineering techniques employed by today’s (and yesterday’s) cyber criminals.
As servers are typically unmanned, the chances of one clicking a link in an email and being infected or compromised are dramatically lower than a client based machine. This, of course, does not mean that servers are less important – quite the contrary. By definition, they are unmanned, meaning that a compromise could slide under the radar in terms of detection if the right policies, equipment and monitoring are not in place. As a result, they need to be patched frequently. My advice here is monthly at a bare minimum, and not just Windows Updates. Inevitably, this triggers a requirement for testing (and by definition, additional overhead), but is something I’d consider essential.
Small business cyber security awareness
Servers should contain only the software they need to perform the requested functions, and nothing else.
As an example, why does a file server need Adobe Reader ? The short answer here is “It doesn’t”.
Leaving unnecessary software installed on servers makes them vulnerable to weaknesses and flaws that could be (and often are) exploited by cyber criminals to gain unauthorised access. In the case of a small business, these vulnerabilities are all too easy to identify and leverage, making them highly visible in terms of low hanging fruit. You’re probably familiar with the phrase “easy pickings”. If the fruit hangs low, obtaining access is much simpler than it would be attacking a large organisation where the fruit is significantly higher up the tree. Some small businesses have dangerously outdated software, meaning that low hanging fruit is now actually on the ground rotting – and an easy target for compromise.
Another area where service provider’s typically fail their clients is the lack of cyber security awareness, knowledge and training. Admittedly, from a business perspective, this involves time and effort aside from the cash investment, and unless this is factored into any contract, should an service provider provide it for free ? Opinions vary on this issue – admittedly, it is a new sales channel and opportunity for the managed service provider, but one that should be seriously considered by any small business in order to remain vigilant around new (and old) threats.
What should a service provider deliver to their clients ?
The focus point here is “Managed” – small businesses will assume that all aspects of their IT infrastructure and associated environment are being taken care of as part of their Managed Service Agreement. They are unlikely to perform any type of gap analysis in order to determine what is missing after the new contract is in place, or ask any questions around the service provided if they are non technical. So what should an service provider be providing as part of their managed service ?
- Work with the small business to build processes, and gain an understanding of their business needs
The service provider should clearly define the services that they will actually provide, and ensure that their client is fully aware of what these are, and where the service provider releases responsibility. From an audit perspective, the processes in place need to be repeatable – if the service provider is requested to provide a reason for taking a specific approach, they should be able to communicate this clearly and effectively, and explain how and why this is part of the process.
- Standardise on one manufacturer of networking equipment
The service provider should standardise on one type of networking equipment manufacturer. Doing so allows a best of breed solution to common issues, and with only one product to be concerned about, there is little detraction. Centralising on one vendor allows the service provider to become a specialist, and by definition, is then able to perform complex infrastructure design and implementation that is common across all of their managed sites. The service provider would then be a in a position to partner with a major vendor for further leverage around pricing and expertise.
- Perform regular log data analysis and review
Most organisations do not realise that they have been the victim of cyber crime until it is too late. On the flip side, some organisations generate thousands of email alerts in one day, and the one that you really should have reacted to is buried so deep in other useless information that it missed (think Target here – the standards of today typically depict IDS, IPS, Firewall, Switches). If it’s on your network, provides access to something or someone, then it should be carefully examined to ensure that it is not being abused.
- Become a centre of expertise in relation to new / emerging technology, and be open to it’s support and usage
The onset of IoT (Internet of Things – the inter-connectivity of web enabled devices) and IPv6 means that networks are forever changing shape and size. Service providers need to be aware of these changes, and remain up to date with knowledge and the impact to security. IoT has gained in popularity over the years, and with no signs of diminishing, service providers should possess the prerequisite knowledge in terms of what works and what doesn’t from a business and security perspective.
- Write an effective policy
Service providers should work with their clients and provide assistance in composing robust IT / information security and acceptable usage policies. Provide the client with assistance in terms of how these will be enforced, and determine who is responsible for their enforcement going forward. Any service provider offering their knowledge in this area to a client will strengthen the business relationship. It is also a clear demonstration of their commitment to offering service, and providing the client with an excellent return on investment.
The common factor present in all of these points (and they are by no means exhaustive) is education. This is essential for any service provider and client relationship to succeed, and paramount in terms of securing assets, intellectual property, and client confidence. The technology landscape changes rapidly, and as a result, there is always something new to learn.
I expect that this article may spark debate amongst service provider’s and their associated clients, but if you needed any further proof of how widespread this issue actually is, have a look at this