“We, as a society must understand that our digital future is inextricably linked to cyber security.” And right now, the weakest link are small and medium-sized businesses (SMBs). The emerging trend in the industry - servicification - is their chance.
The cyber security situation in Germany is tense, writes the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) in its report on cyber attacks, which was presented on 17 October. The head of the authorities, Arne Schönbohm, speaks of a multitude of highly specialized and high-quality attacks. Behind some of these attacks are foreign secret services, but mostly they are committed by organized crime.
The report shows that the quality of cyber attacks has continued to increase and that the threat level remains high. But it also gives a little hope, because the report makes it clear that cyber attacks can be successfully fended off if cybersecurity measures are consistently implemented. The BSI continues to foresee a very high-risk situation for smaller companies. This is mainly due to the fact that the operation of effective protection measures is usually very complex, requires expert knowledge, and entails high costs.
This is in line with the results of a study published last year by the German Wissenschaftliches Institut für Infrastruktur und Kommunikationsdienste (Scientific Institute for Infrastructure and Communication Services). This study examined the cyber security situation in companies with 1 to 500 employees. The study showed that despite increasing digitalization, there is still a lack of awareness of cyber security. Even where companies declare their own risk to be high, protection is inadequately provided. In contrast to large companies, SMBs usually have only limited resources for cyber security.
All the same, looking back on the quickly passing year 2019, enterprises were not spared in cyber attacks either. Germany has been hit by cyberattacks in many areas, starting from the hacked accounts of multiple politicians at the beginning of the year, when letters, contact details, party memos, mobile phone numbers, contact info, and credit card details from members of Germany's major parties were published on Twitter. Just a month month later (in February), the BSI published a truly eye-opening report on attacks targeting critical infrastructure (including areas and industries such as energy, transport, water, food, communications, etc.), which in the second half of 2018 had amounted to 157 – and this number has been rising every quarter. Just this month, defense contractor Rheinmetall AG suffered from malware attack on its production plants worldwide, and in summer we read about 18 medical facilities in the German federal states of Saarland and Rhineland-Palatinate being hit by ransomware.
Now that we are on the subject of hospitals, companies need to create what we can call their own “cyber security hospital” to maintain the health of their cyber security – one with multiple solutions and specialized hardware (hospital equipment), as well as an expert team to manage, monitor, and respond to any threats (hospital staff). But just as only the richest are able to have their own clinics, only large enterprises are able to maintain such high standards of cyber security. However, only such high standards can ensure that the company and its data are secure. And even those never reach 100% security. As the popular saying in the industry goes, “the question is not if but when the company IT will be breached”.
Complete cyber security systems currently comprise of solutions from multiple vendors – after all, looking at Gartner’s Magic Quadrants, each vendor specializes in different aspects of cyber security – firewalls, endpoint protection, backups, threat response, threat visibility… Creating such a system is an enormous undertaking, from the perspective of money, people, and time. For all the technologies and hardware to be effective, they need to be properly orchestrated and maintained. Only a substantial group of trained specialists can do so effectively. Otherwise, the company is left with expensive hardware and gaps reminiscent of Swiss cheese in their security. What’s more, to counter ever-evolving threats, the staff need to constantly broaden their knowledge (meaning continuous expenditure on training) and technology must be regularly updated. Unfortunately, after long and costly integration, the chosen solutions may prove ineffective before they offer a return on investment, due to ever-evolving threats in the wild.
For now, expensive, multi-vendor solutions seem to address the situation at hand. But even those are not foolproof, and come with a host of problems themselves. To configure, maintain, and monitor such a security environment, an entire, experienced team is required. In reality, multi-vendor environments are often ineffectively maintained, leaving gaps in configuration and creating new attack vectors. As multiple data breaches and leaks from the last few months show, it’s enough to have one Elasticsearch database with a weak password to lose thousands upon thousands of valuable pieces of data.
In such a situation, what is the SMB sector to do? The times when they could feel safe and overlooked by cyber criminals has passed. Considering that data is now “the new black gold”, SMBs are treasure troves ready for ransacking. When all devices in any organization are connected to the Internet and the attack vectors are multiplying, now more than ever, small and middle-sized companies need to protect themselves from attacks and unauthorized access to data – their lifeblood. The consequences are devastating – it is no longer just an inconvenience. The short-term effects are always financial – revenue loss, remediation costs, and possible fines based on the GDPR regulations. However, the loss of customer trust, a long-term consequence of any cyber attack, can prove to be even more damaging.
Using just one solution (something which is achievable for SMBs) is not enough. It may also prove dangerous because it creates a false sense of security, making existing staff – as well as C-Level managers – believe they are safe, while in fact their company is ripe for the picking.
Thankfully, there is a ray of hope in this bleak picture painted by the BSI’s report. With the popularization and development of the cloud, solutions have arisen which address all the pain points of today’s cybersecurity – also for the small and middle-sized businesses. Cloud technology has made it possible to democratize cyber security and create a cyber security service, similar in nature to other well-known services, such as Netflix, Spotify, and Office 365. This is a new – perhaps even disruptive – method of cyber security delivery (“servicification”), which makes it possible for companies to have enterprise-level security in an affordable subscription, paid monthly or annually.
This can be seen as the next level of managed services – but easier to use and more affordable. Cloud cyber security service providers base their offer on best available technologies and, to stay competitive, adjust it to the current threat landscape, which they monitor regularly. Hence ensuring their protection is always ready for the newest threats – even “zero-day” attacks. They also coordinate all the technology inside the service to create one unified platform, continuously managed and overseen by experienced staff. Additionally, placing this solution in the cloud enables great flexibility and scalability, introducing the “pay-as-you-grow” model to cyber security. In short, all upfront investment costs (dedicated hardware, software licenses, and employing and training new staff), as well as high maintenance costs, are replaced by a monthly subscription. At the same time, in most cases, increasing the cyber security level of the company.
Furthermore, because it’s a service, deploying the protection is easy – and it’s equally easy to cancel it. This makes cybersecurity service providers offer attractive additional features, important for overall security. One example is greater visibility into the company IT environment – owners and IT departments can gain more knowledge about all the threats, applications, and user behavior inside the company. Another is a professional cybersecurity management in the form of Security Operations Center (SOC), which not only monitors and responds, but also often comes with a host of additional features (depending on the provider), such as: vulnerability management, risk monitoring, data breach recognition, misconfiguration scans, etc.
The future undoubtedly holds more and more threats from both state actors and criminal operations. However, with progressing servicification – the emergence of cloud cyber security services and subsequent democratization of high-level cybersecurity, the outlook may not be as grim as reports predict. It is now the time for small and middle-sized businesses in Germany and all over the world to heed the warning from Federal Office of Information Security and look into available solutions for their cyber security and the general security of our entire digital world.
With his 25 years of experience in IT Sales and Sales Leadership acquired in companies such as Veritas, Palo Alto Networks, RSA (a division of Dell EMC) and Deutsche Telekom, Roger is one of Veronym’s pillars of strength. He is a true agent of change, who loves sharing his burning passion and enthusiasm for each and every new challenge. He instills this mindset in the whole team, spreading his life philosophy: “Working hard for something we don’t care about is called stress. Working hard for something we love is called passion”.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.