ProfSpeak | Business Ideas and Resources

Reflections on Contemporary Business Issues in the Digital Age

Home / Marketing

Learnings From Cybersecurity Audits of SMEs

by

Introduction

Why do Small and Medium Enterprises, SMEs, under perform on their cybersecurity programs when compared to larger organizations? The consensus is that SMEs don’t have the resources or knowledge to tackle both their information systems needs and their cybersecurity needs.  Additionally, SMEs tend to have a crisis management culture that focuses on solving the immediate problems of now rather than on planning and management for long term issues. I have studied these issues for many years and have found that auditing SMEs can help them improve their cybersecurity.

I began using cybersecurity audits of SMEs as a teaching tool and learning experience in cybersecurity classes in 2014 when I used a team of graduate MBA students to aid a health care research center in creating a security plan and gain initial accreditation of their security program. The student team found the activity to be a useful and popular learning experience. I brought this audit experience to the panhandle when I began teaching graduate cybersecurity courses at West Texas A&M University.

The audits were performed using a semi-standard audit scope. Student auditors were free to add scope to assist the SME in understanding cybersecurity recommendations and to follow up on recommendations arising from observed issues. Each audited SME was provided a report listing the top five identified issues and the top five recommendations to address these issues. I reviewed the recommendations to ensure they were achievable (e.g. to ensure the best “bang for the buck” to the SME). I’ve aggregated the findings and final reports of the audits done at WT (40 audits) to determine the nature and frequency of the issues encountered by the SMEs which are presented in the rest of this blog.

What Was Found?

Audit findings are presented below. The findings are ranked ordered with the most common issue listed first and the number/percent of audit clients having the issue.

Major Findings (finding: number of audits reporting it)

  • No security plan: 25 (62.5%)
  • Weak/reused/no passwords: 22 (55%)
  • Missing updates: 22 (55%)
  • Weak physical security: 20 (50%)
  • Weak/partial/no backup/restoration process: 20 (50%)
  • Open/responsive ports: 14 (35%)
  • No/weak security training: 14 (35%)
  • Weak access control: 13 (32.5%)
  • Business assets used for non-business purposes: 12 (30%)
  • No/weak security systems: 9 (22.5%)
  • No malware protection: 5 (12.5%)
  • Passwords written down: 4 (10%)
  • Malware found: 2 (5%)

The findings present an interesting picture of SME Cybersecurity. Five issues were observed in at least 50% of the audits. These issues are considered endemic in SMEs. Five more issues occurred in more than 20% but less than 50% of the audits and are considered to be common issues in SMEs. The last three issues occurred infrequently enough that they are considered to be issues unique to those organizations. This means that there are 10 issues that we should consider common enough in SMEs that should be addressed by a generic SME audit plan and remedial Cybersecurity program.

Additionally, 60 interesting observations were made. While not generic enough to be classified as generic issues, they do provide a glimpse of findings that show that SMEs are different than larger organizations. Over 20 observations were made relative to server and equipment locations and management. This shows that SMEs do have issues related to preserving and protecting their unique resources. These issues extend to not only managing their servers and computer equipment but also their workspaces. In acute cases of these observations, it was also observed that the SME either didn’t have an office separate from the living quarters of the owner or that the separate office was very small, such as a business suite in a larger office building. This indicates that physical security and router standards typically applied to larger organizations will not be usable by SMEs and that these standards should be custom developed for SMEs.

RECOMMENDATIONS

What should be done about the generic issues given the lack of cybersecurity resources? The pace of threats and mitigations is such that SMEs have no feasible way to truly keep up. Training SME owners will help but expertise is needed and I suggest working with a Managed Service Provider, MSP. To the extent necessary to address basic cybersecurity issues. The costs of a MSP are lower than hiring full-time support. Additionally, free resources such as the SANS security policy project templates and NIST standards, provide guidance. Some basic recommendations for addressing the key findings that can be done by an MSP or the SME:

  • No security plan: The SME should use the SANS template to generate a plan tailored to the SME. As a minimum this plan should address disaster recovery/business continuity as well as the below issues.
  • Weak/reused/no passwords: implement a password policy using the SANS template. Require strong passwords and use a password manager for password storage. Use havibeenpwned.com to check if passwords have been posted on the Internet as a result of a 3rd party hack.
  • Missing updates: require all devices to have auto update on unless the SME has a special app that needs to be checked against an update prior to implementing the update.
  • Weak physical security: use the SANS whitepaper “Physical Security and Why It Is Important” as a guide for basic physical security that includes access control, locks, alarms, cameras, fire detection and protection.
  • Weak/partial/no backup/restoration process: use the SANS template to create a policy that says what to back up, when to back up, where to store backups, and when to test backups.
  • Open/responsive ports: use GRC.com’s shieldsup to check for ports not in stealth and if there is no business reason for a port to be open, such as an open port for camera access, place the port in stealth.
  • No/weak security training: train everyone on phishing and fraud attacks.
  • Weak access control: ensure everyone has their own account and password, have a policy on who gets access to what data and apps, when to modify someone’s access, and how to terminate access. Consider implementing multifactor authentication and biometrics.
  • Business assets used for non-business purposes: use SANS template to create an acceptable use policy and limit use as much as possible to business use.
  • No/weak security systems: use a malware checker/system defender such as webroot, symantic, and/or windows defender.

Murray E. Jennex, Gensler Professor of Computer Information Systems

About Nick Gerlich

Dr. Gerlich came to WTAMU straight out of graduate school in 1989 after earning his Ph.D. in marketing at Indiana University. He is now the J. Pat Hickman Professor of Marketing.

Apply to the West Texas College of Business

Subscribe to our Newsletter