Security and managed services vendor Octree has warned SMEs that they need to take cyber security more seriously. This warning is contained in details of a speech from Tony Richardson, Managing Director, Octree. It is to be given on Friday 18th November to members of the UK200Group made up of chartered accountancy and law firms. The speech is focused on the recent UK Government announcement of £1.9 billion for cyber security.
Earlier this week Xero released its State of Accounts report. It showed that accountants are still the most trusted advisor to SMEs. It also showed that accountancy firms need to bring in skills to offer a wider range of services. Richardson will not focus on the need for new skills in accountancy or legal. Presumably this is because he would like them to consider directing their clients to Octree.
Cloud computing a must for SMEs
Gary Turner, UK Managing Director, Xero also believes that the only solution in the future for SMEs is cloud computing. When asked about connectivity issues at a brunch he brushed them aside. With the UK the world’s largest per capita online shopping nation he doesn’t believe connectivity is an issue. Turner also sees no place for on-premises computing and dismisses the idea of hybrid computing.
Richardson has a similar view of cloud computing but more from a security than cost perspective. He says: “I’m a great believer in cloud computing improving security for SMEs, because cybersecurity becomes the responsibility of the software provider, which is in a better position to address those.”
Businesses must invest in security training
Unsurprisingly Richardson sees security training as a requirement for all companies. Unlike many others calling for training Richardson is focusing on soft skills such as social engineering. He says: “For businesses, security training has to be moved up the agenda. It is social engineering that leads to problems as far as ransomware is concerned, because the delivery mechanism will always be an email being delivered or a website being visited. Therefore, people need to be educated not to click on links or open attachments, and to be prepared to question suspect emails and, if necessary, escalate them.”
This training around soft skills is something that companies and training companies are ill equipped to deploy. Many are still focused on a hard skills approach to checking the endpoint protection is updated. They tell users to check logs and if there is nothing there they are safe. The majority of these tools only work by knowing what the threat is. Educating users on how to avoid social engineering means that they should be able to avoid new attacks.
Directors must face up to their responsibilities
Among SMEs there is an acceptance that they are poor in cyber security. The SME channel partners have generally failed their clients. Where they were once trusted advisors they have not delivered the support to protect companies. Instead, they have focused on selling product and shifting boxes. As a result there is a fast growing market that seeks to outsource that knowledge. This is a market that Richardson knows well as the MD of Octree.
Richardson makes the point: “Ultimately, business directors are going to be liable, so I’m sure they’ll be keen to get that message across.” This is all too often not the case. SMEs outsource their cyber security and seem to think that this means they are no longer responsible. You cannot, under the law, outsource responsibility. If you choose the wrong cyber security partner and they lose your data you are still liable. There is a gap between Richardson and many SMEs that still needs addressing.
Richardson’s advice for SMEs
In his closing remarks Richardson has some sound advice on getting it right when choosing a cyber security partner. “Review any service-level agreements and security certifications. Bear in mind that a small business will have very little influence on negotiation on a large Software as a Service (SaaS) provider, but if you imagine how damaging a successful cyber-attack would be to a large SaaS provider, that offers some reassurance that they will be ensuring their systems are up-to-date.”
Richardson is right to raise the issue of cyber security with accountancy and legal firms. We’ve already seen campaigns targeting legal firms with both malware and trojans looking to steal data. So far the smaller accountancy market has been relatively unscathed. This will not continue for long.
The UK HMRC has a Making Tax Digital agenda. While consultation only closed this week it is intended to move all tax affairs online. As government IT beefs up its security it means that accountancy firms will become a more important target to criminals. The increase in automation in the supply chain also means that SMEs are a more valuable target. They are seen as the soft underbelly of large enterprises and automation means that a successful attack can reap big rewards quickly.
It will be interesting to see how attendees at the UK200Group meeting respond to Richardson’s speech.