Nick Denning, Managing Director of Policy Monitor (and subsidiary Diegesis), considers the lessons that public sector operations can learn from entrepreneurs and small and medium-sized enterprises (SMEs) about implementing cyber security and responding effectively when attacks occur
High-profile reports of cyberattacks inevitably focus on large organisations such as Marks & Spencer and Jaguar Land Rover, as these are the most newsworthy due to the size of the potential impact. However, cyberattacks occur daily at all levels in the UK, particularly within SMEs. To what extent are there lessons to be learned by large or public sector organisations from the experience of SMEs and entrepreneurs?
Large organisations have the funds to ensure robust defences, including a dedicated team. They have economies of scale for effective technology, continuous training, and a strong security architecture based on strength in depth.
That is not to say all is perfect. Keeping legacy systems up to date with the latest software versions is a challenge. Single sign-on and excellent network security can provide a defence fence around such systems.
Within any organisation, the challenge remains to implement effective risk management and have the ability to monitor, detect, and respond to penetration attempts before they become successful attacks.
Larger organisations typically have a supply chain with which they must interact electronically. Such supply chains can be made up of companies of different sizes, sophistication and maturity in their cyber security hygiene.
What, if anything, do organisations in a supply chain have to offer each other?
A matter of survival for SMEs
A cyberattack can be fatal to a SME where cash is king. Any interruption to business, or being disconnected from the supply chain, should an invasive attack occur, could be a killer.
For this reason, many enterprises provide customer-supplied laptops with VPNs pre-configured so the risk of pollution via SME’s in the supply chain is minimised.
Value for money
A key driver for SME’s is value for money and return on investment from technology spend.
At the same time, SMEs are particularly aware that ‘excellence can be the enemy of good’, so trying to balance risk against cost and protection is second nature.
We also know how easy it is with a mobile workforce for processes to be suboptimal. For example, exit processes may not be completed, and access rights and privileges may remain for departing users, particularly on third-party systems such as Sales Navigator or partner websites.
Many SMEs have a greater appetite for risk. As a consequence, they put as much effort into assurance as into the implementation of the security requirements themselves. This means regular checks of processes to protect against process failures, rather than seeking to make processes perfect, but in a way that is not so onerous as to stifle the business while it is being undertaken.
Create a ‘human firewall’
We regularly identify that people are an organisation’s greatest strength and greatest weakness.
Common attacks remain around malware, getting people to click on things, phishing, combined phishing and phone calls, and now convincing people to give two-factor authentication (TFA) codes by phone.
Training is critical to keep people aware of the risks and constantly questioning what is going on around them. Getting people back into the office so that they can overhear other staff being influenced is important and helps with continuous questioning.
Relatively few public servants have direct access to money, but they have access to information that is valuable, and potentially highly sensitive. They are often participants in a process that can result in payments being made, and there have been many reported frauds in government payment systems, such as the UK’s Department for Work and Pensions and HM Revenue & Customs, where insider criminals are involved.
Foster a strong security culture
Many aspects of security are second nature to people. Measures linked to health and safety highlight the need for physical safety and security measures, such as closing doors, not allowing strangers into the building, and activating alarms. Fire safety officers are appointed, and regular drills are conducted. Such measures seem baked into employee thinking. How can a similar ethos for virtual security be achieved?
- The principles are the same for any organisation, but the practices vary.
- A SME is more likely to name and shame, even if that may not be consistent with all HR principles.
- Finding strategies to keep security in peoples’ minds eye goes a long way. We see that an effective strategy is to change the screen saver on an unattended device.
- Embed security responsibility – SMEs may not have the ‘luxury’ of large IT departments. There can be a heightened “do nothing” risk. On the other hand, having an active system/ security administrator who politely calls out errors can be more effective than a central IT team that only follows up by email.
- Gamifying training as part of the culture makes it personal, rather than just box-ticking.
- Involving everyone in cyber resilience exercises also makes it personal.
SMEs can quickly embed culture around the obvious: strong identity management and passwords, password management and use of vaults, verifying financial requests through a secondary channel, and encouraging staff to spot phishing emails.
Prioritise resilience
For SMEs, effective cyber security is a strategic necessity to protect operations and reputation. It is often a survival issue and increasingly a competitive advantage, not merely a compliance burden. What SME resilience behaviours can the public sector learn from?
- Prioritise actions based on impact. What keeps me awake at night? How do I ensure that we are safe?
- Plan for business continuity, not just prevention.
Many large organisations predominantly focus on prevention but have little in place for responding to successful attacks and breaches.
For example, is it even possible to recover a system?
- Unless there is an immutable, incremental backup mechanism, it may not be possible to recover data up to the point just before ransomware detonated.
- Can it be recovered to a point that is consistent with all other integrated systems?
- If not, and all systems must be rolled back to a global consistency point, is there a transaction log that will allow a system to be then rolled forward by replaying business transactions, resubmitting orders received, and deliveries sent out?
- Can the transactions with other integrated customers be reconciled?
This is likely to take a significant effort. However, if we can restore sufficiently to do business, we can at least complete financial reconciliation offline, hopefully!
Recent attacks on public sector organisations, such as police forces, hospitals, and councils, highlight the importance of resilience in maintaining continuity of service provision. It is time to learn from all sources, including robust policies from large organisations, risk management, and agility from high-performing SMEs, as well as their innovation and agility, while coaching other SMEs to catch up.
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International.
