Small and medium-sized businesses have been hit harder by the coronavirus lockdown than the Enterprise segment. This also affected the information security budgets. When the main task of the company is to save the business, the costs of information security, despite all the horror stories, “move off” to the tenth plan. These are, according to Igor Tyukachev, head of the business development department for information security products at Axoft, the information security realities of the Russian SMB sector. However, this is a global trend - according to a 2020 study by BullGuard, 43% of small and medium business owners do not have a cybersecurity plan, and a third of companies (up to 50 employees) use only free antivirus software. But is everything so bad with information security maturity in the Russian SMB segment? How can a company determine at what level of “development” its IS is, and what needs to be “pumped up” in order to move to a new, more advanced and secure level?
Instead of a preface: a scale not nailed down
Our team created its own maturity scale in order to objectively assess the maturity of our partners' customer companies and understand what they can and should offer from the solutions of their portfolio. At the same time, this scale is not “nailed down” and can be interpreted within a fairly wide range.
Level 1: start SMB. Minimum cost and maximum savings
This level includes all start-up companies that have received / found funding and are at the stage of hypothesis confirmation. The number of employees in such organizations is 10-20 people. The motto is “Minimum costs and maximum savings”. There is no IT specialist in companies of the “start SMB” level, everything is decided on their own. They use paid cloud products and free Open Source solutions. They sin with common passwords and lack of backups. To increase the level of information security, they, at a minimum, need to start using two-factor authentication and backup.
Level 2: advanced SMB. sporadic costs
At this level, the company has already proven the viability of its business model and is investing in scaling sales. New employees appear, own IT infrastructure is created (servers, 1C, etc. - possibly for rent or colocation). The number of employees is 50-250 people. One or two employees deal with all IT and information security issues. There is no budget for IT/IB – expenses are sporadic. Such companies use paid antiviruses or complex solutions from manufacturers of information security solutions for SMB. The perimeter is protected using UTM (a combine that is both a firewall and a proxy, there are no special performance requirements). If the main selling tool is a website, then it must be protected using WAF, for example, PT AF from Positive Technologies or WAF cloud solutions. Since most attacks start with letters, you need mail protection and an anti-spam solution, which can also be included in the bundle of an information security solution manufacturer for SMB.
To increase the level of information security maturity, if the company does not have a dedicated IT specialist, you need to get one. If one or two IT specialists work in the state, add information security tasks to them. Axoft, for its part, is ready to advise on website and email protection, the choice of Russian UTM, conduct demonstrations of solutions, organize pilots and implementation projects together with partners.
Level 3: SMB expert. Permanent mess and how to deal with it
The company is growing, turnover and the number of employees are increasing (500-1000 people) - it becomes necessary to describe and regulate business processes, introduce new information systems. The volume of IT infrastructure is increasing - it can be your own data center or server room, or renting space in a commercial data center. The number of DBMS is growing with the increase in information systems (IS) used. There are requirements for backup, availability and reliability of IS, sometimes companies think about Disaster Recovery. At this stage, a separate employee (or several) should work in the company's staff, who will be responsible for information security.
In general, the "SMB expert" level is characterized by a permanent mess - IT processes are usually not described, therefore, "forgotten, no one's" servers may appear, "incomprehensible" accounts may appear on the servers. Access to internal resources from outside is not regulated. An IS employee does not understand how many assets he has under protection, he cannot fully assess the risks. The CEO's laptop is infected, but there is no authority or ability to isolate it. Companies at this level of maturity use backup solutions, 2FA to ensure access security, DLP - the most understandable tool for everyone, as well as vulnerability scanners, as the IT infrastructure has grown and the percentage of attacks using critical software vulnerabilities is increasing very quickly.
How to deal with chaos? It is necessary to consistently regulate the processes of IT and IS. This will require additional information security tools. As an option, you can attract external professional resources. A vulnerability management process needs to be implemented.
A few words about the IS-ideal. Optimal - spend less than we can lose
To the question: “Is it possible to assemble an ideal protection model and what is needed for this?”, one can answer this way: information security is a topic in which it is impossible to achieve an ideal, if by ideal we mean 100% security. Moreover, from a business point of view, it can be harmful when the means of protection are more expensive than the possible loss of data or stoppage of business processes. IS is like the Cold War and the arms race. On the one hand, attackers are improving the means of attack, and on the other hand, information security specialists are improving the means of protecting, detecting and investigating attacks. Given that the protection perimeter has become as blurred as possible (remote, clouds), it’s not only about defending yourself, but about how to detect an attack, a “saboteur” inside your infrastructure and neutralize it. And also to be sure that all "saboteurs" are found. With regard to SMB, it is rather necessary to talk not about the ideal protection model, but the optimal one. The optimal protection model is the model that provides the required level of protection at optimal cost. It means "spend less than you can lose." The motto of Positive Technologies - "inadmissible - impossible" here resembles this statement. That is, the optimal model should ensure that unacceptable risks cannot be realized.
In the next article on the topic of information security maturity, we will talk about gradations in Enterprise companies. We will also help you determine at what stage of information security development your business is.
