Cyber Security doesn’t have to be a minefield. Although, let’s be honest, it does often appear to be that way. More so for startups and SME’s, who usually know security is important, but struggle to make sense of all the jargon and map out a clear direction. In this post, we’ll take a look at some of the challenges and assumptions involved, which invariably impact an organisation’s security posture.

I mentioned jargon above. The cyber security industry (Marketing teams in particular) love throwing terms around – Next Generation, Deception, Sandboxing, Zero Trust.. it’s a long list. And while we’re not going to question the intent behind this – there is actually substance behind these terms (most of the time anyway) – it does rather aid the confusion instead of making things clearer.

Every vendor seems to have the latest and greatest product, which (the sales team earnestly tell you) reduces the risk you face and boosts your security. It also doesn’t help that sometimes (again, let’s steer clear of courting controversy) some of the terminology refers to pretty much the same mechanisms and techniques.

Take sandboxing for instance. Is there really a big difference between a true sandbox (no doubt ‘next gen’ versions are on the way), advanced heuristics and behavioural analysis? On the surface at least, they seem to use pretty much the same techniques. Delve a little deeper, and yes, distinctions can be found.

But, is the labelling more about creating noise (cue nod to our friends in Marketing) or because these distinctions merit it? And, if you’re an SME (or indeed any sized organisation for that matter) what really counts isn’t the wonderful explanation of what’s happening under the hood. It’s the actual value that’s added. Genuinely better protection? Or not?

Which, inevitably, can lead to cynicism. After all, there does seem to be an awful lot of FUD (Fear, Uncertainly and Doubt).

Are the security industry peddling this for their own ends? Still wet behind the ears, I recall one of the first questions I had when joining a security vendor many moons ago, was how we could prove to customers that it wasn’t in fact the industry creating malware in the first place. It turns out of course that, even if there are elements of exaggeration, the threat is real enough. Just as Big Pharma faces its share of scepticism, the fact is that bugs and germs have been around for centuries. We might have reservations, with good reason, about the inner workings and machinations of the pharmaceutical industry, but we can’t lay the blame for the existence of all diseases at their doorstep.

Of course, confusion isn’t limited to the security products and services available on the market. For example, making sense of data privacy laws and regulations can prove to be a challenging task in itself.

But, aside from issues of trust and the potential for confusion, what are some of the specific challenges SME’s face?

Let’s briefly cover a few of these.

Difficult to access proactive security services, normally seen as the preserve of those with big budgets.

This is a big one. Setting up and running something like a Security Operations Centre typically requires deep pockets. That’s less of an issue for Enterprises, though even they have to contend with employee churn (certainly not easy to source good SOC analysts in a competitive market where a distinct shortage of skills exists) and deal with SOC related challenges such as alert fatigue and other inefficiencies.

For startups and SME’s, there are evident advantages associated with having recourse to a dedicated security team and continuous monitoring of data and systems.

However, the costs of deploying a SOC or similar services in house are prohibitive, which means smaller players miss out on significant benefits – something which is further brought into sharp focus if they operate in heavily regulated markets where securing data is imperative.

No dedicated in house IT or Security team.

Following on from the point above, IT needs are usually fulfilled through outsourcing, or via a small internal team. In some cases, somebody in IT may wear a mix of hats, including security. But there isn’t a dedicated security function, which advises on security matters and works to implement a coherent security strategy.

The assumption is that hosting or IT providers will provide the security.

Startups and SMEs make heavy use of the cloud, the big three providers offer a range of competitive services, and the path to setting up basics is usually easier meaning people can focus on their core business and not worry about provisioning servers, installing email systems and purchasing expensive hardware. However, even if hosting providers offer security options to go alongside their services, these can come at an additional cost and still require proper configuration and implementation. Usually security is a shared obligation between the provider and the customer, so using a third party doesn’t absolve the latter of their responsibilities.

Too many other priorities to focus on.

Where to start? Competing priorities all vying for a slice of the budget can often mean security finds itself lower down on the scale of what’s important. Organisations need to focus on a whole myriad of tasks, so cue heated discussions about what should come first, what the road map should look like, cost benefit analyses, compromises and trade-offs, and so on.

Need to develop products/services at speed.

Time is money (apparently) but even for startups and other companies who can afford the luxury of playing a longer game, there is huge pressure to push out a MVP and get it to market. Budget is a common theme, and development efforts can rapidly start to burn through the available cash, so the emphasis shifts to building the product or service at speed.

In a competitive and shifting market, and given the amount of innovation that exists today, there can be a fear of being left behind – and nobody wants to miss the bus.

Testing of products focuses more on how they function and not how secure they are.

An inevitable conclusion of the above point. With speed being the primary concern, testing of products and services tends to focus on use cases, features and functionality. Invariably, security is an afterthought.

Performing an adequate risk assessment.

Though it can be time consuming, it does very much make sense to conduct a risk assessment to understand the level of risk being faced. What kind of data is being dealt with, what sensitive information is being stored and processed, is there intellectual property that has to be safeguarded, etc.

Clearly the level of risk varies from company to company and is impacted by a host of factors, such as the type of data it deals with, and the industry and jurisdiction or territories the organisation operates in. The security posture of an organisation should typically reflect the level of risk it faces.

Not necessarily aware of industry regulations surrounding information security and the responsibilities these entail.

I mentioned earlier that it can be confusing for SME’s to understand regulations around data security and then map them to their own operations. The prerequisite to this of course is actually knowing what, if any, laws and directives apply and the potential consequences of not being compliant.

And with that, our cursory look at the hurdles startups and SME’s encounter is done. By no means an exhaustive list, and by no means applicable to all, but I suspect the above will resonate with many.

I stated at the beginning of the post that cyber security doesn’t have to be a minefield. Despite the challenges, it is possible to put in place meaningful and effective security. In our next blog post, we’ll take a look at some relatively simple steps that startups and SME’s can take to help them move in the right direction.