Why SMEs are often overburdened with technical IT security tools

Over the past decade, there has been a growing understanding that IT spending is a critical item. Now, the only thing that needs to grow is the understanding that IT security unfortunately does not come free of charge, but that much can be made more secure even with a small budget.

Risk awareness in place, but contingency plan not...

As part of his CAS certificate thesis, Christian Heimann evaluated various methods and approaches for an "Affordable Digital Security Audit of SMEs" and found that SMEs are very aware of the digital transformation. However, it is worrying that many small companies are overwhelmed by the multitude of technical IT security tools available on the market. For this reason, they often neither budget for nor do anything about IT security. If something is done, they are mainly concerned with the technical aspects. They are aware of the value of their data, but they forget the human component. Employees are not trained or insufficiently trained and sensitized, which increases the risk of a successful attack. Only just under one-third of small companies have an emergency plan; in the event of a successful attack, such a plan would defuse the associated crisis situation by not wasting any time.

New devices - new points of attack

Among the two-thirds of SMEs for which IT security is highly important, only 20 percent have reviewed their IT security to date. This gives pause for thought. According to leading research and consulting firm Gartner (2017), the number of IoT devices will increase to 20,000,000,000 by 2020! IoT devices are not only attack targets, but can also become attackers themselves (e.g. misuse as part of a botnet). Therefore, protecting IoT is not only about your own security, but also about the security of the general public. Gartner projects that by 2020, 25% of all identifiable cyber attacks on enterprises will have an IoT component, but less than 10% of IT security budgets will be invested in IoT.

Vulnerability Management

Over the past decade, there has been a growing understanding that IT spending is a crucial item. Now the understanding that IT security is unfortunately not free, but that a lot can be made more secure with a small budget, has to grow. A key element is to know your inventory so that you always have an overview of your systems (network, devices, access rights, cloud services).

Christian Heimann talked to Pascal Mittner, CEO of First Security Technology AG, about their vulnerability management solution. Vulnerability Scan or Automated Testing is the detection of vulnerabilities by analyzing endpoints. A good vulnerability management solution not only provides indications of the vulnerabilities, but also direct recommendations for action to eliminate the vulnerabilities. Pascal Mittner clarified in the interview that vulnerability management should function as an early warning system and provide for the analysis of the assigned area. Measures cannot and should not be implemented by the same system. The principle of "separation of powers" is to be observed.

38 new vulnerabilities per day

In the field of cyber security, when people ask IT managers how often a security audit should take place, they often ask for an interval of between three and five years. They forget that the IT infrastructure is dynamic and even one year is far too long for a technical environment, plus there are 38 new vulnerabilities every day. Small companies also lose track of the systems that are on the network. Often devices like routers, switches, IoT or test systems are simply forgotten, missing from the inventory and therefore not integrated into the IT security concept. Pascal Mittner mentions that "In addition to the documentation of the infrastructure, vulnerability management serves as a tool to detect problems at an early stage and to counteract them. This increases the efficiency and effectiveness of the company, frees up resources, helps prevent major damage and invests in the right measures."

With FS Cyber Control - the Swiss Made vulnerability management solution for SMEs, the above mentioned steps are implemented among others. The IT infrastructure is inventoried, then the systems (IPs) are scanned and a report is generated with recommended measures to eliminate the vulnerabilities found. The reports are easy to understand, regardless of IT knowledge. "Based on a traffic light system red, yellow, green, they can quickly see how their IT is doing and the solution is also affordable for SMEs," says Pascal Mittner and adds, "FS Cyber Control is easy to integrate into the existing environment and fully automatic. In this sense, there is no longer any excuse for SMEs to neglect their cyber security due to excessive demands."

More information: First Security AG