Smaller organisations face particular challenges with IT security, not least knowledge and cost, but they are far from immune from malware.
John Bergin was interviewed by Jason Walsh of the Sunday Business Post for 29/9/2019 publication.
Every business is facing attack: it sounds like hyperbole, but it is not. In fact, any network connection of any kind is vulnerable to hackers in our increasingly connected society. It has become commonplace to call the internet the Wild West, but the scale of the threat today would make Wyatt Earp blush.
Small businesses in particular can be oblivious to this – and sometimes just unsure as to what to do about it – said John Bergin, Managing Director of IT Force.
“There are additional quirks for small business,” he said. “Small business owners and managers seem to think they won’t be targets, that they’re too small to bother with. The risk isn’t there, they think – it’s just something that they read about in the newspapers.”
Bergin cites a recent survey that said 43 per cent of all cyber attacks are aimed at small businesses. Despite this, many still don’t take the question seriously. This is unfortunate, he said, but not entirely surprising.
“If you haven’t the stripe on your back it’s hard to imagine it. It’s hard to feel it,” he said.
But what to do? One PwC report recently stated that four in ten businesses have failed to even assess the risks they face.
“PwC also stated that, in Ireland, cyber crime is double the global level. That would be mainly, I think, because of the attitude we have to it,” said Bergin.
That attitude can be that that IT security is not so much insurance as a shakedown.
“Some think it’s a sort of a scam. A lot of it is that they can” see it or feel it; a lot of guys in small businesses are owner-managers and they think, at best, ‘I’ll deal with it some time’,” he said.
There is one upside to this: going into small businesses with the hard sell simply won’t work, he said. Instead, security providers such as IT Force, have a discursive relationship with clients.
“Here in IT Force, what we’ve done is have a minimum threshold of security points. We call it ‘Security Essentials’; it’s the minimum you should have, and for some companies we’ll do a free audit for them, going through the list with them saying: ‘You’re okay’ or identifying where they aren’t,” said Bergin.
The precise level of security required will vary, depending on the nature of the business. Some, such as PR companies and those in financial services, are seen as a more juicy target and so they need to secure themselves to a higher level.
In every case, however, the buck stops with management: “The directors themselves can be held responsible if something goes wrong.”
Bergin said that the best thing to do was to make sure the basics are done, and done right. “Even some of the high-profile attacks we’ve seen recently were eminently avoidable. Simple things like up-to-date software patches make a difference,” he said.
Beyond that, user behaviour is key.
“Employees and how they behave: it can be as simple a thing as education; educating users on how cyber crime works. We can send sandboxed phishing e-mails [to test responses] and so on.”
In the end, Bergin said, businesses should get serious before the criminals get serious with them. Unfortunately, he said, a degree of complacency remains pervasive.
“GDPR was meant to be this kind of a thing, but I don’t see that any of the agencies are yet really acting on GDPR aggressively,” he said.