What Cyber Security Processes and Mechanisms SMEs Need

Irek Bagautdinov

Irek Bagautdinov

Head of Cybersecurity at Andersen

IT Security
Jul 21, 2022
7 minutes to read
views

Regardless of whether a company uses cloud technologies or only owns a website, cyber security should be an important part of its business plan. What is paradoxical is that more than 60% of SME owners are not worried about this issue, as they believe that hackers are targeting large enterprises. But the figures say the opposite: according to Verizon's Data Breach Investigations Report (DBIR) for 2020, every third data breach is associated with a small business. We will tell you about reliable data protection mechanisms that a company of any level should have in order to avoid unpleasant situations.

Briefly about cyber security

Cyber security protects computer systems, servers, applications, and end-user data from attackers seeking to steal information or money. In cyber security, there is such a concept as vulnerability. This is the Achilles' heel - the way a hacker can commit illegal activities on a computer system or network. For example, such a sensitive spot may be a bug in the program code, which gives a criminal direct access to corporate information.

As society goes digital, companies are increasingly using computers and the IoT. More than half of humankind is already online, and thousands of new users join them every day. At the same time, hackers are inventing new ways to steal data. In light of this tendency, in 2021, cyber attacks were included in the top five global threats.

Attackers have more incentives to search for vulnerabilities in computer systems than ever: to steal data, get money, or pursue political motives. More than 2,000 data breaches worldwide are confirmed annually, each of which costs an average of $3.9 million.

Unfortunately, business owners often turn to cyber security services and media security services after an incident has already occurred. But experts treat the protection of a company as a daily priority, as even casual transactions on websites may have vulnerabilities. Due to this attitude of business owners towards cyber security, the actions turn out to be less effective than they could have been.

CEO of BullGuard Paul Lipman describes the problem well, pointing to the fact that small companies are often targeted by cyber attacks because they neglect security issues. But even one attack is enough to "bring a business to its knees." This risk can be avoided by sensibly using the following seven data protection mechanisms.

1. Vulnerability management

Vulnerability management is a strategy, using which companies monitor, eliminate, or minimize “holes” in the system. Cyber security specialists find and identify the type of vulnerabilities and then decide how to remedy the situation and protect the company. But there are some nuances here - if the process is built incorrectly, the consequences will be terrible.

For example, most organizations use a vulnerability scanner (Nessus, Acunetix, Qualys, Openvas, and others) that is launched once a month. The program checks the infrastructure, finds vulnerabilities, covers some of them, and leaves some unsolved.

At the same time, problems with managing defects arise. One of the most common problems is that a newly-created virtual machine is not included in the vulnerability scanner. Hence this computer won’t be scanned by the program. At the same time, nobody can guarantee that it is flaw-free, has patches, and so on. As a company grows, the security issue complexifies, and detecting system sensitive spots becomes more difficult.

Even if an organization has the most expensive scanner that is recommended by experts, its vulnerability base will not cover even 85% of all defects. Alexander Leonov, Information Security Analyst at Tinkoff, prepared a report on this topic - "The Vulnerability Scanner Illusion," where he compared three scanners of the open CVE database. As it turned out, they see different types of vulnerabilities differently - one program can find a hole that others don’t detect, or all programs can’t see a certain type of problem. Therefore, not all vulnerabilities can be detected and closed in time.

2. Secure development

Although the concept of security in development has existed for about 15 years since Microsoft introduced it, not all companies are aware of its value.

In an Agile software development model, the Security Development Lifecycle (SDL) involves checks for vulnerabilities between regular sprints and a final security review before deploying the software. Recently, there has been more talk about a new way to pre