Shooting Phish in a Barrel: SMEs and Cyber Security
From our position at Octopus Ventures, we get a broad view across the portfolio of the cyber security situation within many startups in a range of sectors. We also have the good fortune of investing in some of the most sophisticated cyber security businesses such as Digital Shadows and BehavioSec. Given how precarious many early-stage businesses are, and how hard they’ve fought to win their customers, the issue feels quite emotive. What we see are pockets of best practice rather than general awareness and prioritisation. The hard truth is that every month that passes more incidents of attempted (and happily, thwarted) data breaches are reported.
So what are the best companies doing in the face of the growing cyber security threat?
There’s already a lot of information out there, freely available. The Government, quite rightly, see the collective benefit of equipping our business community with as much up-to-date guidance as possible, so resources like the National Cyber Security Centre and Cyber Essentials aim to make available as much help and information as possible. There are also a large number of specialist consultancies and testing agencies, geared to helping SMEs if you want to dig deeper than this.
What and When?
But what about your company? The extent to which you invest and prioritise cybersecurity should probably be proportionate to the stage of your business and your particular activity. So for example, a seed stage hardware business’s cyber security measures would look very different to a series B payments company. Likewise, a significant product release without a degree of cyber security consideration around it, would these days, be inadvisable (a polite word for ‘bonkers’).
The biggest issue is inertia. The first time many companies think about this is in the aftermath of a data breach. The good news meeting this inertia, is how easy many of the fixes are.
Not If, But When
The key is a change of mindset. Waking up to the threat, assuming the risk is imminent, will light a fire under an effective cyber security policy. The trick is to make this a line item in the budget. If a chunk of money is ring-fenced at the beginning of the year (for an idea of how much, see the attached summary presentation), it will cease to become a cost centre and manifest as action.
The lowest level CyberEssentials measures will cost as little as £1,500, but more thoroughly executed, there’ll be in the region of £3-5k. Full penetration testing involves a friendly hacker launching a dummy assault on your defences, revealing its vulnerabilities and the potential negative impact on your business. A full ‘Red Team exercise’ will cost £20-40k, but an entry level ‘Pen Test’, involving one web app and five IP addresses would be nearer £3-6k.
The Danger of Complacency
CyberEssentials is a good start, but there’s a danger that stopping here leaves your defences too broad and shallow. Your business may contain a ‘crown jewels’ web application or one single critical business asset. Identifying that as in special need of protection will help mitigate disaster. Appointing a single person, ideally at Board level, responsible for cyber risk will also help instil a permanent culture of vigilance. Any one-off ‘box-tick’ exercise will leave you vulnerable further down the line. This is a constantly evolving issue and needs to be as natural a subject to cover at Board-level as marketing or product development.
How Others See You
Finally, cyber security increasingly features in the due diligence view of your company. Industry bodies and end-clients are requesting that their partners and suppliers have completed specific security checks. Risk is carried up and down the chain so, as said before, this is a collaborative battle. Your cyber security robustness could also one day become part of a buying decision, possibly making or breaking it.
It’s no surprise to hear that cyber security is an issue none of us can ignore, but the good news is that, for the willing there is plenty of practical support available.