7

Pretext

I'm not a security expert, just a web dev with an interest in "security". I've been tasked by my employer with giving an internal talk on security (specifically web application security) and why it is important for SMBs.

Reflecting on my motivation, I've realised this particular subject interests me because:

  1. I find the technical aspect fascinating
  2. It's the right thing to do
  3. I don't wanna get pwned (professional dignity)

Which is all fine and dandy, but not something the board will be terribly impressed with. Consequently, the talk should focus on the business impact of security for SMBs.

I've been thinking about incorporating some often-heard arguments:

  • "Security is only for the financial/medical/insurance sectors"
  • "We are too small to get noticed by hackers"
  • "There's nothing to get from us – our data is not interesting"
  • "We don't store credit card data or anything sensible"
  • "Even if an account gets hacked, there really isn't anything you can do with it"
  • "I don't think anybody's interested in what User X has been doing on our platform"
  • "There is no business value in security"
  • "We need to focus on implementing new features for our users instead"
  • "We are lean, and code that doesn't make money is waste"
  • "If we make this too complicated, the users will go to our competitors instead"
  • "Adobe has been hacked and people still love them"
  • "The probability of this ever happening is so low, we can't justify spending any resources on it."

Some of these may be silly, but others raising the question of the business value of security, are perfectly valid. Unfortuately, these are the the hard ones for me to answer, because frankly I do not know the answer. I feel like I can google this until the cows come home and still don't get anything other than sales pitches and platitudes like "Your website is your virtual business card and you want to make a good impression."

Some notes I have made so far:

  • Small businesses are in fact targeted quite a lot, because they are "low hanging fruits"
  • An attacker might not even know your business, e.g. if malware is installed with a dependency manager
  • All data is interesting if you have a purpose
  • Attackers don't care about your platform and very likely they don't care what the user has been doing on that platform. They are interested in the user data stored (PII, plaintext or poorly hashed credentials, e-mai addresses etc.)
  • Attack vectors might include several targets and your platform might be just one small piece in a larger plan
  • Compliance with lawmakers and potential business partners
  • The business value of security can be quantified after a breach has happened (e.g. number of customers lost)
  • "Lean" comes from the automotive industry and they have a lot of regulations to follow
  • Security as a differentiator (stand out & build trust with customers)

TL;DR – Actual Questions

I'm not expecting anyone to address all these questions. Just looking for some input, and perhaps some pointers in the right direction. The talk won't happen before Q3 2019, so there's still some time to do research.

  1. The big question in need of an answer is "Why should SMBs care about (application) security?"
  2. Is security, at the end of the day, simply risk management?
schroeder
  • 123,438
  • 55
  • 284
  • 319
jgxvx
  • 307
  • 1
  • 6
  • @schroeder Thank you. I understand the question is too broad to be answered. I will continue researching and come back with more concise, separate questions. – jgxvx Dec 16 '18 at 20:20
  • Thanks everyone for your inputs. I'm going to accept the answer which has helped me the most, so this question won't remain unanswered. But all your answers have been very helpful in pointing me in the right direction! – jgxvx Dec 20 '18 at 12:07

4 Answers4

5
  1. Every business, no matter what it does or how big it is, runs on information
  2. Information has value to the business, so the business needs to protect the availability and integrity of that information
  3. Information has value to others; your customers, your employees, your business partners, and has value to others who can exploit it for their own gain, so that information needs to be protected so that people cannot use it to cause harm
  4. Every business needs to ensure that information is used in the right ways at the right time so that customers, employees, and partners get the benefit they need

These four points mean that there needs to be processes and training in place to make sure that the maximum benefit is derived from information and the minimum impact is experienced when something goes wrong. We call this "information security". Information security is not about technology and it is not about "hackers". It's about the proper handling of information for the life of the information and the business.

Information security processes are not new. Businesses of every size need to handle all assets in the same way. In fact, you can replace the word "information" with "asset" in the four points above, and businesses will not be surprised. Information is as important as assets to a business because information is the most important asset.

schroeder
  • 123,438
  • 55
  • 284
  • 319
4

I think the question is too broad so I will only cover what I think is the main aspect:

Is security, at the end of the day, simply risk management?

That's what it is. There are several risks relevant to SMB which are addressed by information security, for example:

  • Ransomware might result in the inability to access data or systems which are critical for the business. Missing or incorrect backups might cause similar problems.
  • The competition might get access to secret data and could use these for their own advantage, like underbidding the companies offers or stealing ideas and getting faster to market with these. The competition does not need to be security experts to get this kind of access since hackers doing espionage or sabotage can be hired.
  • Being inadvertently part of a botnet which sends spam might cause mails originating from the company being blocked by the mail servers of customers or partners, thus loosing the ability to properly communicate.
  • If customer data are affected by a security problem it might result in loosing customers, getting fined and also having problems getting a payment provider for acceptable conditions.
  • and likely more ...

Thus, not addressing the risks will likely result in loss of business and loss of money. On the other hand addressing the risk will also need money and time so one has to find a way to balance these and determine which risk is acceptable. But to do this one first have to evaluate what the specific risks for the company actually are.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thank you for your input, it has already helped me! I understand the question is too broad to be answered. I will continue researching and come back with more concise, separate questions. – jgxvx Dec 16 '18 at 20:22
1

IT is just a tool, and it should be considered as any other tool, neither more nor less. I assume that the office door is locked at night, but you probably have no armed guard squad behind it. But you might have a safe in the office for the most important documents or for values. That means that the physical security has to be adapted to a risk level with a balance cost/value.

Nothing is different with IT security. Just ignoring it would be the same as leaving the office door opened at night: anyone could come in and steal or destroy things. On the other hand, it would be no use in setting a too high level because it would not worth the cost, just like making the office a copy of Fort Knox.

The bad news with that, is that you cannot avoid a minimal risk analysis: what is important in your information system, what are the risks you want to be protected from, and what is the related cost in terms of money and usage.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
1

Few thoughts:

  • Security is one aspect of Quality. A nice summary is here
  • Security is coupled with Privacy (think of repudiation, compliance, customer claims etc.)
  • Security is not just about technologies, it is mainly Processes and People. So you need to focus on your work/business processes (e.g. how often you check security, how often you reset passwords, who can see logs etc.) and your people (e.g. security awareness, training etc.)
Alex Probert
  • 493
  • 1
  • 3
  • 17
papajony
  • 454
  • 2
  • 8