by Mark Seward, VP of security solutions at Anomali
Many of the most innovative companies are small to medium sized businesses (SMBs). These businesses are full of new ideas for services, new products – and improvements to existing ones. And this is certainly true in the cyber security sector.
Many of the most exciting and innovative solutions to current cyber security problems are being produced by small and medium sized businesses. Ironically, though, many early stage cyber security companies initially target their offerings to the Fortune 500 and look to move down market to SMBs much later in their product life-cycle – and, sometimes not at all.
Non-cyber security small-to-medium sized businesses are focused on creating value around their core competency, not cyber security. According to a study by Towergate Insurance, “…ninety-seven percent of smaller companies neglected to prioritize online security improvement for future business growth.” Typically, the first few key hires in IT are ones that will help “keep the lights on,” deal with password lock-outs and provision and configure network services and company laptops. Even with a firewall and anti-virus program, these business are the most vulnerable to cyber attackers. If their intellectual IP is stolen or if they are discovered to have been a launching pad for attacks against a larger business partner, it can mean going out of business.
In terms of setting up and enhancing cyber security, SMBs face several interesting challenges:
- Many don’t have staff dedicated to cyber security
- Most don’t have security information and event management (SIEM) systems or threat intelligence data
- Cyber insurance is often prohibitively costly
- Many are aware of the need to collect log data for later analysis by a consultant for regulatory compliance purposes
- The cyber security of small and medium sized businesses is a growing concern in the supply chain
The security staffing challenge will remain a problem for all organizations – not just SMBs – for the foreseeable future. According to Michael Brown, CEO at Symantec, “The demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million.” Wages for top-notch cyber security analysts are increasing at a rate of over seven percent each year. Supporting this kind of wage growth is difficult for SMBs, and companies that are able to afford this are able to poach the best talent. Hiring junior, or less experienced employees and keeping them once they are trained is a big challenge.
Those small businesses that may be aware of the availability of cyber insurance (67 percent are not) also know that the cap for coverage of data breach impact is only around $10,000. This might only cover the cost of system restoration – not the loss of intellectual property or the loss of customer records. SMBs understand the value of collecting logs for network and application troubleshooting and for regulatory compliance.
Security is challenging enough to stay on top of when you have to worry about just your organization and your technology. A near-impossible factor to track from a security perspective for for SMBs is the third-party “wildcard.” Supply chain security and the vulnerabilities and the connections between businesses represent risks that major companies are focused on. For instance, Lowes and Target both suffered major breaches due to security breaches in smaller business they had relationships with.
“If you list the top-10 critical suppliers and make sure they are secure, then that list might change or some random website created by a third party that wasn’t in the top 10 may be the risk,” said Sam King, executive vice-president of strategy for Veracode.
It’s clear that many SMBs that don’t have the cyber security staff, threat intelligence or infrastructure needed to be able to be able to protect their business – and by extension – their business relationships. These businesses need to focus on obtaining security products and services that automate breach detection and discovery, and allows them to get the value of security analysis and infrastructure without the huge upfront and ongoing costs. The service would also feature the ability to share a small business’s security posture as a proof point for other larger businesses in the supply chain.
These kinds of services are gaps in the market that, once filled, should allow any company to use security as a differentiator when competing to supply services or goods as part of a larger supply chain.
Mark Seward,VP of security solutions at Anomali is a Certified Information Systems Auditor (CISA) and has more than 15 years of experience as a security practitioner, He has held a number of leadership positions in product management. Prior to joining Anomali, Seward served as the senior director, security and compliance, at Splunk, where he was responsible for security use-case messaging for the company’s real-time operational intelligence product. His tenure has also included positions at Symantec, Qualys and LogLogic.