Guest blogger Adrian Bridgwater interviews AVG Chief Policy Officer Siobhan MacDermott about her new paper Cyberwar: How to Harden Your Small to Medium Business and the security challenges facing small businesses.
Q: Let’s go back to basics if we can please and ask you what the difference is between privacy and security?
Siobhan MacDermott: The simple truth is that privacy is a key reason you have security in the first place. Privacy is the function that looks after your customer data, to the extent that a secure IT base has to be a critical part of any small to medium sized business (SMB). Privacy isn’t just for those who want to keep something private because think they have something to hide; it’s more a fundamental right for every worker in every department of every business regardless of size. As a small to medium sized business operating in a global market, there’s a real opportunity to elevate and differentiate your firm by demonstrating robust privacy and security practices.
Q: Can you give us a real-world example?
Siobhan MacDermott: OK so let’s say an email or a Skype call is secure from an endpoint perspective. Unless you also have the right controls in place that same communication could be intercepted in which case it is no longer private. And if it is no longer private it is, by definition, no longer secure. In other words security is all about deciding what could happen with every single piece of data and taking measures to keep it safe at all times. At AVG our challenge is to get the message across to SMBs how a breach of security goes hand in hand with a breach of privacy.
Q: Why are SMBs so exposed today?
Siobhan MacDermott: In recent years top intelligence sources such as the U.S. Navy and General Keith Alexander, NSA director and commander of the United States Cyber Security Command, have spoken publicly about the hundreds of thousands of cyber-attacks they are seeing on a daily basis. A recent report by Sky News highlighted comments made by the Home Affairs Select Committee which showed that the threat of a cyberassault on Britain is considered so serious it is marked as a higher threat than a nuclear attack. Describing it as a cyber war, these public bodies have joined some of the world’s biggest commercial corporations in taking costly steps to harden their cyber defenses. While this is a good thing it has led the attackers to turn their attention to softer targets. And SMBs who tend to lack the IT resources and the security budgets needed for state-of-the-art cyber defences are firmly in their cross-hairs.
Q: Can you give us some figures to try and paint a picture of how big the threat is to SMBs?
Siobhan MacDermott: A report released in June 2013 by Javelin Strategy and Research detailed “billions of dollars” in consumer fraud and losses resulting from data breaches. The year 2012 racked up 1,611 breaches, a record number—up 48 percent from the year before. A Ponemon Institute survey revealed that, in 2012, 55 percent of small businesses suffered a data breach and 53 of those businesses incurred multiple breaches. This is a global problem and a global threat; SMBs that think their modest size means they are not a target have to look at the bigger picture. They and their fellow SMBs represent a substantial proportion of the market. Together they are a sizeable target for cyber criminals.
Q: Your report gives a detailed picture of how firms should secure their cyber infrastructure — can you briefly sum up what preventative steps they should take?
Siobhan MacDermott: Firms should start by aiming at prevention. This means taking stock of the data they routinely gather and accumulate. Develop tidy habits. Only keep the information you actually use and destroy any unwanted or out of date information. In this case destroy extends to shredding old paper files, rendering old hard drives physically unusable, wiping portable devices, and removing/clearing any memory or SIM cards in smartphones and other devices you dispose of or sell. Firms should also restrict who has access to data, assign access rights to trusted employees only and adopt a strict need-to-know policy. You should run basic background checks on all employees before hiring them. Firms should also consider consulting a law firm with a specialty in this area to ensure that internal policies and procedures are compliant.
Q: What process should firms follow to address the privacy-security challenge?
Q: What steps has AVG been taking in this area?
Siobhan MacDermott: AVG is serious about this topic and May this year saw us acquire privacy company PrivacyChoice. Aimed at addressing web users’ privacy concerns, Privacyfix is an award-winning browser plugin that allows users to manage their privacy settings across Facebook, Google, LinkedIn and thousands of other websites.
Q: So just how serious is the security problem and do companies actually “get it” in the real world?
Siobhan MacDermott: No, to be honest firms are still massively complacent when it comes to the threat of cybercrime. My message to firms would be please think about security and privacy together and take a moment to understand how they impact upon each other. Don’t wait, take some action now.
How private and secure do you think your business is? Why not take a few minutes to find out by taking our small business IT security health check - you may be surprised.