Recent revelations about the scope of Chinese hacking attacks on Korean small and medium enterprises (SMEs), as mentioned in a recent article in this magazine, may have been surprising to many, but to information security experts it is not particularly surprising news. Just like attacks in the physical world, attackers in cyberspace go after victims perceived to be easy targets. And, generally speaking, SMEs are easy targets. It is not necessarily the fault of the SME organizations that they have weaknesses; most of their weaknesses are unknown to them. Furthermore, it is certainly not the fault of the SMEs that they are attacked. After all, every organization with any interface to the wider world is attacked, large and small, tech savvy and technologically inept.
Why SMEs Are Easier Targets
SMEs are often easier targets because, relative to larger organizations, they have particular organizational weaknesses that translate into weaker information security. While these weaknesses may not apply to every SME, they represent the average case.
SMEs lack security expertise. They usually don't have a lot of in-house information security experts. The manpower they do have is often multitasking or handling information security as a side job to whatever else they are doing in the organization. That person may not be a security specialist, and there is often no single person in charge of all the information systems in the company, or no single person even thinking about all the data in the company or setting company-wide policy on information security.
SMEs don’t have money for security. SMEs often don't have funds earmarked to acquire the latest and greatest security solutions, as they are often on tighter budgets. Keeping up with changes in information system requirements is already expensive enough as it is. Less money means security budgets always represent an unwelcome trade-off. If there is a choice between spending on business operations enhancement and spending on security, security usually loses out.
SMEs have a hard time managing information systems complexity. Hardware and software systems multiply in number over time. SMEs may not be exactly sure what systems and software they are running inside the company, making it impossible to keep those systems completely patched and up to date. As time goes by, internal company systems grow more complex and unwieldy. Internal customers refuse to part with cherished solutions, and soon various generations of undocumented software and hardware are running next to each other inside the organization. Just like pharmaceutical drug interactions, different systems don’t always play well together, creating a security hole.
SMEs have a hard time managing their retained data. Companies of all sizes are often unsure about what data different parts of the organization are storing, how they are managing/protecting that data, and even how they are using that data. Data grows over time, like files stored on a personal computer, so that companies don’t know who owns what data, who is supposed to be using it, who is actually using it, and whether or not it has been leaked outside the company. Is the inability to manage data a bigger problem than the inability to manage the other weaknesses that an SME may have? Not necessarily, but we must keep in mind that it is the data that attackers are after. All that unmanaged data is like blood in the water - it is the bait that attracts attackers.
Plugging the Holes Is Not Straightforward
Shoring up these weaknesses is no easy task, and there is no one path that SMEs can take to do so. Information security is a horrifically complicated undertaking, with so many potential points of failure that the real surprise would be few attacks and no lost data. In truth, there are more successful attacks than anyone is aware of. Successful thefts occur all the time, many of which leave no trace of a breach. Neither the general public whose data may have been lost, nor the organizations suffering the attacks ever become aware of some of the breaches or the accompanying losses of data.
No government can simply mandate protection of all this information. The threats are too diverse and the potential responses too varied. Strict regulations that proscribe specific technological solutions lead to inflexible, bureaucratic, hamstrung organizations which become, counter-intuitively, less secure. When organizations, particularly SMEs, get too concerned about compliance with regulations, they end up focusing on the compliance situation, not the security situation. This becomes what is known as “security theater,” where organizations do things because they look good, rather than that they are effective.
In reality, the only prescriptions that work for SMEs start with education on good practices. Small and medium-sized organizations need to educate themselves on what options they have, what they are doing right and wrong, what threats to their information exist, and the tactics that attackers use to go after their data. If outside help is needed to acquire the knowledge they need, then so be it. Considering all the liability involved, it may be the most cost-effective route in the long run.
A company must educate all personnel on good information security practices, not just technical personnel. Education should emphasize that information security is not just about computers, passwords, and malware avoidance. Information security is about people - their habits and their work processes.
A company must also take charge of its own security. SMEs need to nominate leadership to take control of and champion information security in the organization.
Lastly, and perhaps most importantly, companies need to make tough decisions about what data they keep. A careful review of what data the company has, who is using it, and how much of it actually needs to be maintained is crucial. No organization can lose data that it doesn’t have in the first place.
The decisions about managing data are the most important decisions that any organization can make, not just SMEs. Making the decision to cut down on retained data is getting more difficult, because access to good, informative data is rapidly becoming a competitive advantage that many companies are loathe to give up. SMEs rue the competitive disadvantages in which they are placed, because they don’t have the data that their larger competitors do. This leads organizations to want to keep all the data they can, analyze it, and derive insights from it.
While those goals are understandable, they also raise organizational risks. Companies with a big appetite for data, but without good data governance programs, start to ask their customers for too much information, retain too much of it, fail to restrict distribution and usage as the law may dictate, and set themselves up as targets.
Rodney J. Johnson is president of Erudite Risk, a risk management consultancy based in Seoul, and the co-founder of the Korea Business Leaders Alliance, a business group serving senior leaders in Korea.