At the start of 2019, it was clear that the hackers and scammers were turning their attention to smaller organisations. They didn’t anticipate their own success or quite how rich the pickings would turn out to be.
The pioneering attackers who decided to go after small businesses have found a working business model with guaranteed massive returns. And now, the pile on or goldrush is underway: everyone wants a slice of the action.
So, standby, in 2020 small organisations are under unrelenting attack. And, be aware, the attackers are after your money.
How did we get here?
Believe it or not, we’re 13 years into the iPhone era.
Apple and the iPhone are not that huge a part of the modern business IT ecosystem, but it was the appearance of the iPhone back in 2007 that marked the start of a massive transformation in IT – the move to the cloud.
Suddenly email on a mobile device was a must-have for everyone, not just a few clever geeks and Blackberry-toting corporate executives.
And, where email led, the rest of the traditional business IT family has followed. Now everything is in the cloud and we are probably close enough to the last generation of on-premises servers.
The transformation in business IT has produced a revolution in the whole world of business. Setting up anything approaching a serious business IT system, only a decade or so ago, needed an outlay of several thousand pounds and, if your requirements were more than basic, you were looking at several tens of thousands.
Now, if you can lay your hands on a few hundred pounds a month, you can be up and running tomorrow with the most sophisticated and complicated email, file storage and sharing, CRM and any other system you can imagine.
National borders and other restrictions of the past are barely relevant anymore. As a result, financial and logistical barriers to entry for many business sectors have all but collapsed and, for those holding up, they have been lowered and are getting lower by the day.
Anyone can be a businessperson now.
And, the revolution isn’t over yet; if anything, it is accelerating – just take a look at the rate at which new products and services are being rolled into Microsoft, Google and Amazon platforms and the array of new online services from smaller players that are just tumbling out of the cloud.
There are plenty of traditional businesses who are sad to see the end of stiff entry barriers to their sectors but, for the rest of us, this is all unequivocal good news. Right?
Well, we can hardly complain about the price we’ve had to pay. Our homes and offices have been made over and the cost has been pretty much imperceptible.
Now, Microsoft hasn’t become the richest company in the world through its unrelenting focus on free lunches and we’ve all got in the habit now, both as businesses and individuals, of paying for our technology through monthly subscriptions. Given what we get, these subscriptions are hardly expensive though. We wouldn’t have had the explosive growth of such services if their pricing was out of reach.
We do pay then, but not much, and certainly not so much that it hurts. We could even argue that the fees we pay Microsoft, Amazon or Google (indirectly) have been more than made up for by the lower prices we pay for much else as a result of the competition they have allowed.
And even if £1,000 or so does seem a bit steep for a phone, when you stop to think about it, don’t forget the convenience.
A new world
You know I’m now going to suggest there is a downside to all this.
There is a well-known general sense of unease about the non-monetary price the big providers are charging us, i.e. massive scale harvesting of personal information.
But there is a much bigger problem with this whole cloud revolution, and this is the impact it has had on small business security. In general terms, cloud providers are far more secure than on-premises IT systems ever were. So I am not for a moment arguing that we should somehow go back to on-premises IT. The genie is fully out of the bottle.
So, if cloud providers are generally pretty secure, where is the issue with business security? I’m talking here about security in its most basic sense, i.e. the ability to keep on existing.
Let’s consider an attack that our clients experience every day – a phishing email crafted to trick the recipient into revealing their Office 365 password. Phishing emails have been around for a long time but, by definition, this one would be pointless without the ubiquity of Office 365.
For most recipients these emails are a minor irritation; for an unlucky few they result in a significant financial loss and, for some, this is enough to put them out of business. For example, a healthy business turning over, say, half a million a year may not be able to survive a successful phishing attack that relieves them of £50,000 (not an unusual figure).
Now, earlier in this article we looked at the way barriers for entry to business have been lowered or eliminated by the cloud revolution. The same is true of the barriers to entry to the criminal world.
Think back to those far off days before the 2008 financial crash. Say you wanted to defraud a business of £50,000, you really would have had to know what you were doing and have advanced conning skills.
Today, if that’s my intention, I don’t need any special skills to launch an attack against thousands of companies and see if I get lucky.
A good way to get a sense of the point of extreme vulnerability at which we have now arrived is to revisit an old information security concept: the attack surface.
Back in the day, when we worked on security we would look at those parts of an IT system that were exposed to the Internet. Sometimes all we had to consider was the network router/firewall, or some servers, PCs and laptops might also have been of interest. But the point was that we could define the attack surface, i.e. the points of vulnerability, and concentrate our defensive efforts in this area.
By and large, this approach worked. If you reinforced your attack surface, there were plenty of much more inviting targets out there.
The problem we have now is that the Internet has become the IT system for most businesses. The attack surface has become infinitely vast and undefinable in any meaningful sense.
All businesses now share a single, immeasurable attack surface. The service providers take security very seriously and are engaged in a frantic arms race with the attackers who are highly organised, technically skilled businesses.
Defensive systems are constantly probed for weaknesses and attacks are launched by the million every day. Some attacks will always get through. We are at a point where criminal activity now has the potential to bring the whole IT revolution to a crashing halt.
At one end, a massively successful cascading (company to company) attack could easily exhaust the capacity of the global insurance industry to underwrite the financial risks involved in the revolution.
At the other end, small businesses may gradually be forced to withdraw from electronic business altogether as the risks begin to outweigh the rewards.
My IT people have it covered?
If this is true, what are you, as a small business, supposed to do?
Here is the first wake up call: stop believing that your IT people or support company has this all under control. They don’t.
This is way beyond their capabilities.
We need to face up to the uncomfortable fact that it is the IT people, in their eagerness to please their customers, that have caused this problem and they don’t have the solution.
OK, this is curious stuff for the MD of an IT company to be putting out there.
Well, it is precisely my background that qualifies me to identify this problem. Above all, I know how IT people work, and getting them to prioritise security is a hopeless cause.
Even though it doesn’t always look that way, IT people see themselves as born to serve; their role is to satisfy customer needs. Back in the 80s, even inhouse IT teams learned to call the rest of the business their customer. Good IT has always been about satisfying business needs defined by other people. Security has always been an obstacle to satisfying those needs.
Now there are IT companies around who have always prioritised security, but they are few and far between. There are more that are starting to give security the attention it needs, as a bolt on to their core service. And, there are many who pay lip service to security while considering it a purely technical issue and carrying on much as before.
You may notice more and more IT companies adopting a new abbreviation, no longer MSPs (Managed Service Providers) but MSSPs – guess what the second ‘S’ stands for. Well, don’t believe the hype.
The right way
Now for the bold claim: Macnamara is different.
I started the business almost 20 years ago, coming out of a corporate background in which I was proud of my nickname, ‘the handbrake’, earned as a result of my (then unfashionable) insistence on security as a priority. And we have never strayed from this focus – even losing clients along the way by refusing to compromise on their security.
Our people do not come from traditional IT backgrounds and are all trained inhouse.
We were amongst the first to embrace the cloud, recognising that standing against an incoming tide wasn’t going to help anyone. But we also saw the risks and have relentlessly trained, studied and certified to keep ourselves and our customers secure.
Businesses are now more vulnerable to attack than ever before. Security needs to move right to the top of the management agenda, and you need a partner to keep you as safe as possible against this rapidly changing and ever more dangerous background.
Security goes way beyond technology, and way beyond what can be covered in this article, and if you are going to rely on your IT company, at a minimum, ask for some evidence that they are qualified to advise or help you on security.
I’m not going to pretend that Macnamara has the solution to the problem we are facing today in business security – but the Macnamara team is trained to tackle security way beyond technology, has been a pioneer in small business security, and understands the problem.