Can small business beat cyber skills crunch?

A good cybersecurity strategy is essential for any business, no matter its size – but in the midst of a chronic shortage of security experts, what’s a small business to do?

It’s a vexing question as cybercriminals continue to score goal after goal with simple attacks such as phishing emails and credential stuffing, in which attackers use already-compromised passwords to access users’ other work and personal accounts.

Office of the Australian Information Commissioner (OAIC) statistics confirm that Australian businesses remain extremely vulnerable to the attacks, which are enabled by leaks such as this year’s 770 million-strong ‘Collection #1’ breach and a recently discovered server containing 1.2 billion personal profiles including 622m email addresses.

“The battle lines in cyber have been redrawn,” warns Rich Turner, EMEA senior vice president with cybersecurity firm CyberArk, “and it is identity, not the vanishing perimeter, that is the new frontline.”

“Organisations must therefore rethink their security investments ensuring they are adequately managing identities and their associated privileges.”

What security investments?

Yet for the 2.2m small businesses that make up the more than 97 per cent of Australia’s businesses, even those that recognise the need to improve security can struggle to give it the priority of major enterprises like the NAB, which is spending $150m a year on cybersecurity.

By contrast, 62 per cent of small businesses are sole traders and 27 per cent have just 1 to 4 employees.

Margins are often tight, leaving little left over to spend on cybersecurity tools and even less for the six-figure salaries needed to lure cybersecurity specialists away from fast-growing businesses that are working hard to corner the skills market.

Throw in the challenges of a market with an estimated 100,000-person IT skills gap and widespread reports that it is ‘very difficult’ to recruit cybersecurity specialists, and small businesses are vulnerable to an unchecked stream of cybersecurity threats.

One Malwarebytes analysis reported 60 per cent more cybersecurity threats against healthcare organisations – the majority of which are small businesses – in the first three quarters of this year than in all of 2018.

And a recent Barracuda Networks study found that targeted spear-phishing attacks cost businesses an average of $US270,000 ($A396,000) each.

If you can’t hire, automate

Detecting, stopping and recovering from such attacks requires a broad range of security skills, while proactive defences like penetration testing and red-teaming take the job description to a whole new level.

Yet even those companies that do manage to hire an IT person with some cybersecurity experience often find their capabilities limited, notes Ty Miller, managing director of security consultancy Threat Intelligence.

“When you have a handful of people running the company’s entire security operations, they need to be generalised security people who can touch lightly on different areas of security,” he told Information Age.

“That means they don’t have the deep technical expertise to be able to do things like in-depth penetration testing and incident response; they don’t understand how to contain breaches.”

Sensing an opportunity, Threat Intelligence built Evolve Security Automation – a cloud-based platform that lets customers rent regular or occasional access to over 350 advanced cybersecurity capabilities.

The platform is built around bespoke Automation Modules, developed by the company’s 20-strong team of “highly specialised security experts” in six countries and chained together into workflows providing particular security capabilities.

To reduce the risk from credential stuffing, for example, Evolve can automatically monitor dark-web breaches and notify users – as well as forcing affected users to change their passwords – if their credentials have been compromised.

It’s one of several systems demystifying the storied dark web by helping compromised companies learn what the cybercriminals know.

Financial-services giant Experian also recently joined the fray, promising to “unlock dark web intelligence” by bringing its CyberAgent Identity Monitoring technology to Australia and New Zealand.

Yet Evolve is taking a wider view by also offering penetration testing – of external and internal infrastructure, DevOps application security, and a reconnaissance service that finds network soft spots – as well as automated incident response, security infrastructure tools, and cyber threat intelligence tools.

“Because they have minimal resources, any action they need to take needs to be streamlined and prioritised so they are reducing their risk to the business,” Miller says. “You can basically automate anything you want.”

The new security infrastructure

Because Evolve is fully automated and lives in the cloud, it’s offered at a fraction of the cost of a real person: email monitoring costs $5 per month for an individual and $500 for a business, for example, while penetration testing costs $1500 for a month of unlimited testing, and can be turned on and off at will.

The system garnered “phenomenal feedback” when first demonstrated at last year’s Black Hat cybersecurity conference, Miller says, and subsequent months have seen the firm onboarding customers globally in the run-up to its recent full commercial launch.

Increasingly sophisticated automation promises to sidestep a key problem plaguing the exploding security market, where the lack of skilled staff is biting hard.

“Digital transformation demands that security staff play a wider range of roles, from strategic consultants to threat profilers to product managers, which in turn require new skills and competencies,” said Beth Schumaecker, advisory director with research firm Gartner – which has pushed hard on the value of security orchestration, automation and response (SOAR) tools like Evolve.

“It’s already impossible to fill our existing vacancies.”