In Security, is “good-enough” really enough?

In the past few months of working with startups and small and mid sized companies and helping them set up Information Security infrastructure, I have learnt quite a lot about how they view risks associated with information security and how they handle those risks. They are all aware of the threats that face their industry or businesses in general, to varying extent. Yet, very few do a risk analysis and those that do any risk assessment do not use the results in their business decisions very effectively.

While they are all aware of the gravity of the situation, they are at different stages of preparedness to handle it ranging from

• “We know we have some risk, but we have not given it a serious thought yet”,

• “We don’t have time or money to invest in it, we have other priorities”, and

• “We will handle it if something happens”, to

• “Antiviruses and firewalls should be good enough for us”.

Some businesses are forced by regulations and compliance requirements, and most do the bare minimum to qualify.

A survey by Embroker, an insurance provider for SMB, on startups, found that although 78% of founders said they faced some form of cyber attack in 2023, only 52% thought that they wouldn't face any attack or data breach[1][2].

According to Identity Theft Resource Center 2023 Business Impact report [3], 73% SMBs faced some kind of Data breach or Cyber Attack in 2023, up 18% percentage points from 2022.

A survey conducted by Digital Ocean on how startups and SMBs view cybersecurity [4] found that 38% companies had no dedicated employee with security as a part of their role. 42% had only one dedicated employee for security. The survey found that 21% of the companies had experienced a Ransomware attack, 44% had phishing attacks or faced business email compromise, 30% faced DDoS attacks and 14% experienced data theft.

So, why does security not come up in the top priorities of startups? The most common reason is the belief that they are too small to be a target of cyber attacks. Another reason is the lack of awareness of types of threats and their consequences. According to Embroker survey, this also depends on what stage of funding the startups are at. Only 40% of Seed and Pre-seed stage startups believed that they were likely to face an attack whereas 72% of Series-C+ founders believed that are potential targets of data breach or ransomware.

Running a business is hard, especially when you are small or just starting up. You have too many things to juggle and not enough resources. So naturally your focus is on building your solution, acquiring customers, building the team and most importantly keeping your business financially viable. Among the important things that get left out is information security.

Securing your digital assets is essential to keeping your business viable. We secure the physical assets : office premises, vehicles, workshops, manufacturing units and warehouses, with access controls, video surveillance and intrusion detection systems. We need similar protection for the information systems that are vital to the business. Just like unprotected offices or warehouses, breaking into computer systems is easy if they are not well protected and the damage could be much more than just loss of data.

Unlike the inventory in a warehouse that you control, almost all of your data is on platforms that you don’t control in locations you do not know and accessible over the the internet by your team at any time with devices you may or may not control. Sounds scary doesn’t it ? I am not trying to be a fearmonger. This is the reality and we are all aware of it.

Some of us believe that the modern Operating Systems come with built in security and that the services on the cloud we commonly use, Office365, Google Workspace, Salesforce, Github, Confluence etc are secure enough. Having a comprehensive security solution seems too complicated and appears to be an unnecessary expense.

The good thing is that a large number of these businesses are taking steps to prevent future breaches by implementing Multi Factor Authentication, strengthening password policies, and implementing virus/malware protection. However, only 6% actually increased the budget / headcount allocated for security and 15% did not take action to improve security. [4]

Each step that we take in securing our data and infrastructure helps reduce the risk. What most of the small organizations are missing is the structured way of addressing the problem of Cybersecurity.

NIST framework for cybersecurity [5] defines six core functions:

• IDENTIFY : Identify the assets (data, hardware, software, systems,facilities, services, people), suppliers, and related cybersecurity risks. Prioritize the efforts based on the risk management strategy.

• PROTECT : Take steps to protect those assets against cyber threats.This includes identity management, authentication, access control, data security, platform security and building a resilient tech infrastructure.

• DETECT : Set up infrastructure to enable timely detection of analysis of anomalies, indicators of compromise and other indicators of an attack or a security incident.

• RESPOND : Act on the detected incident and contain the effect. This includes incident management, analysis, mitigation, reporting and communication

• RECOVER : Restore the assets affected by the cybersecurity incident in a timely manner to resume normal operations.

• GOVERN : Establish the risk management strategy and security policies, communicate them to the entire organization. Implement those policies and monitor the outcomes. Periodically review the risks and change the strategy accordingly.

Most businesses I have worked with, focussed on the PROTECT function a lot and did a decent job at it. They were very happy about that and thought that was “good enough” security. A very few have infrastructure to DETECT, to some extent. Almost no-one had worked on RESPOND and RECOVER. The GOVERN function was missing pretty much everywhere. Then, there were organizations that didn’t do a good job at IDENTIFYing the assets, so the protection they had built was incomplete and had holes in them.

The threat landscape is constantly changing. So, in addition to these functions, gathering Threat Intelligence related to your business and using those inputs to constantly update your risk profile is also important.

The challenge is that there is no single provider that gives solutions to address all these functions. Most security companies address one or two functions, usually protect & detect or detect & respond. It is a very challenging task for the startups and SMBs to do research and find the right solutions. And, these solutions are expensive. So companies with limited time and money go for the easiest things to do: firewalls, access control, 2 Factor Authentication, Vulnerability Assessment and Penn Test and call it security. I do understand that it takes a lot of effort to even do this much. I have seen even large organizations with dedicated security teams and large budgets struggle with implementing all the functions.

Take a look at the preparedness in your organization to counter Cybersecurity threats. Do you think the protection you have is “good enough” ?

References:

[1] Embroker “2023 Embroker Cyber Risk Index: Startup Edition” (retrieved 2024-04-23) from https://www.embroker.com/insurance-index/cyber-risk-index-report/

[2] Gia Snape (Nov 2023) “Are startups underestimating their cyber vulnerability?”, Insurance Business Mag (retrieved 2024-04-23) from https://www.insurancebusinessmag.com/us/news/cyber/are-startups-underestimating-their-cyber-vulnerability-465181.aspx

[3] Identity Theft Resource Center (Oct 2023) “2023 Business Impact Report” (retrieved 2024-04-22) from https://www.idtheftcenter.org/wp-content/uploads/2023/10/ITRC_2023-Business-Impact-Report_V2.1-3.pdf

[4] Digital Ocean (2023) “Small businesses and cybersecurity, How startups and SMBs are viewing security threats in 2023” (retrieved 2024-04-22) from https://www.digitalocean.com/reports/cybersecurity-smbs-2023

[5] National Institute of Standards and Technology (NIST) “The NIST Cybersecurity Framework (CSF) 2.0” 2024-02-26. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf