Bigger may not always mean better, particularly when it comes to keeping a close eye on security. It seems rather paradoxical that large businesses may have worse security than small businesses. Especially considering that they often have greater budgets, capabilities and more to lose. However, the 2016 Cyber Security Breaches Survey commissioned by the UK Government (which surveyed 1,008 UK businesses) found that 65% of large companies detected a cyber security breach or attack in the past year, which, on average, costs firms £36,500, with the most costly breach at £3m.
Who is more secure?
But would large companies be less secure? They have more of everything (more 3rd party suppliers, more data, bigger workforce) which, in turn, means that their data and potentially high-risk information is more dispersed. The widespread usage of mobile devices further multiplies this risk, as a large workforce becomes harder to control. To put it simply, imagine the security difference in trying to monitor and/or control a handful of local employees versus hundreds of global employees…you get the picture.
On the other hand, some may argue that it is because these large companies have more of everything. Including more resources to dedicate to security. For example, organisations such as betting companies, financial companies and banks (that have a lot to lose) are likely to have in-house security teams. Yet even these dedicated in-house security teams can’t guarantee that they will have a high level of security. The example of the 2015 TalkTalk security breaches evidences this point quite clearly.
In addition to their challenges of having more of everything, large organisations could also often have legacy or old systems. This increases risk through the shear fact that these systems are outdated. A lack of technological advance in large companies systems may leave them more vulnerable. Moreover, large organisations may have a large variety of systems in place throughout their various departments. This means that there is a lack of commonality. For example, if the marketing department decides to use a system or service of their choice, which is not sanctioned, then this inevitably (and potentially negatively) impacts on the security of the company as a whole. Why? Because if each department is using their own respective platforms without coordinating with the other departments within the company, then the overall security of the company is inevitably reduced.
When we look at SMEs, some may argue that they may be more secure for a few reasons. Firstly, a smaller workforce means that they can better control who has access to what. Secondly, small businesses are not likely to suffer from the downfalls of legacy systems as they are more likely to use 3rd party cloud services (e.g. Google or Xero). Small businesses typically have limited resources. This includes a limited budget, which means that they haven’t the cash to purchase the hardware, connectivity, software and support. Instead they choose cloud services that are cheap and quicker to get up and running.
However SMEs may not know whether the cloud service is secure. Maxim Weinstein, a security advisor at security firm Sophos. He argues that this security neglect may occur because small and medium-sized businesses place less emphasis on security and more emphasis on the functions that allow their businesses to run (such as customer relations and basic administrative duties). To further illustrate this point, the 2016 survey referenced above revealed that when compared to large businesses (where 62% of staff have had cyber security training), only 22% of staff in small businesses have had the relevant training. Again, this is most likely because of a limited budget, reduced capabilities and less time to devote to security.
Without going into too much detail about the security challenges of cloud services. It goes without saying that the use of cloud services is a common problem for both large businesses and SMEs. As an example, employees could use cloud services that are not authorised by the business. They could then share sensitive information using Dropbox without having the correct security controls in place.
Company size doesn’t matter as much as people may think- there are security challenges for all companies. Regardless of whether you are a small, medium or large business, you need to know your critical data and the relevant controls needed to understand how important it is for the survival of your business. Keeping this in mind when you choose your approach to security is of utmost importance, irrespective of your size.