In my last article (Calculating the GBP cost of risk with SME IT Security Liability Assessment ), I outlined how organisations – big and small – can both identify and quantify risk by placing a GBP cost on that risk. This process, as defined by SME IT Security Liability Assessment solution, calculates risk as a function of the amount of unprotected sensitive data, the average cost per record during a data breach and a score determining how vulnerable a given endpoint is.
For organisations with a dedicated security team, all this makes perfect sense. For the security professional, looking at the GBP cost of risk it helps outlines where their focus needs to be to reduce this risk.
But, what does this mean for the SMB?
According to Cisco’s 2016 Annual Security Report, SMBs are still less secure than their Enterprise counterparts. They have no dedicated security team, they often use outdated hardware and security solutions and they lack the security protocols around intrusion and vulnerability protection – all of which leaves them prone to attack.
While the GBP cost of risk for an SMB may actually be lower than that of an enterprise, this cost needs to be put into perspective. Think about it – if there are less endpoints and less records than say a company with 25,000 employees, the calculated GBP cost of risk will have less zeros at the end. The 25,000-employee company may have a risk GBP cost in the millions where the SMB’s risk is only measured in the thousands. However, it’s important to look at the GBP cost relative to both the size and revenue of the organisation in question.
Regardless of the specific value, if there is a GBP cost of risk for any given business, it reflects vulnerability, mismanagement of sensitive data and the dangerous potential mixture of the two should an external attack take place.
So, what steps should SMBs take to reduce the risk (and the associated GBP cost)?
To answer this, let’s start by looking at how the GBP cost of risk is calculated:
# of unprotected records x cost per record x CVSS Score
And remember this is calculated on a per-endpoint basis, as each endpoint, in essence, gets its own CVSS score. So, if you want to reduce your risk (as indicated by the risk GBP cost), you can simply work to reduce each of the three areas of risk outlined in the calculation:
- Reduce the # of unprotected records
Start by asking: “what constitutes an unprotected record?” Generally, the calculation dictates that it’s a record found on an endpoint rather than securely stored on a server. So, there are two things right there:- have an inventory of all endpoints (so you’re aware of all the devices unprotected records can potentially exist on);
- and, consider implementing company policies that encourage users to not copy sensitive data to their endpoints.
- Reduce the cost/record
OK, this one sounds strange. That’s industry data we’re talking about – how are you supposed to reduce that? Call up Ponemon and ask them to lower the number? While no one from Ponemon will return your calls, you can reduce the cost/record by reducing the access to costly data types. Now, the HR folks will always need to access National Insurance numbers here in the UK, but ensuring that data isn’t accessible by anyone else becomes important. Putting privileges in place to minimise access by accounts is a great first step. Remember, just because a record is sitting on an endpoint, doesn’t mean every user logging onto that endpoint can access it… provided you put some security in place to prevent it. - Reduce the CVSS score
According to the Cisco report, Flash vulnerabilities continue to be a popular attack vector. Why? Because nobody updates their Flash to patch all the security vulnerabilities that exist. This is such an easy one for you all – it really just comes down to scanning and patching all your devices. I’m oversimplifying things a bit, but at the end of the day, the CVSS really just looks at a device and tells you just how vulnerable it is based on known vulnerabilities. Patched endpoint? Low CVSS score. Simple. - Reduce the number of unprotected endpoints
While this one isn’t exactly part of the calculation, because the CVSS is endpoint-specific, it just makes sense that you begin to look beyond whether an endpoint is patched or not. Instead, looking to protect it from the dangers of an external attacker gaining entry to it via malware-laden emails or websites so that this never becomes a discussion around how many records are actually on a given machine. If an attacker can’t access it, it doesn’t matter anyway. Looking at email protection and even endpoint threat protection solutions is a great start to locking down an endpoint from ever being a victim.
Keeping the SMB Risk GBP Cost Down
SMBs have a lot more to worry about than larger organisations. Some of the most basic tenets of IT security are rarely adhered to, making SMB networks prime targets for external attacks. The use of the GBP cost of risk isn’t necessarily meant to be a wakeup call by using some massive number (although using a tool like SME IT Security Liability Assessment and getting a report with a whopper of a risk cost sure better get you out of your seat!). Instead, use the GBP cost to represent the outline used by enterprises to define where they need to place their energies in order to reduce risk. By following the steps outlined in this article, you can effectively reduce each facet of risk that is used to calculate your organization’s GBP cost of risk.
Just because you’re an SMB doesn’t make you immune; it makes you a target. Do the math, and get cracking on clamping down on your GBP cost of risk.
