// EXPERT PROFILE //
“
WE SEE ALL TOO OFTEN THAT SMES DO NOT HAVE A DEDICATED BUDGET FOR
A SECURITY PROGRAMME AND THIS IS A GOOD TIME TO CHANGE THAT FOR THE YEAR
AHEAD . would have been on a corporate network are now spread around the country or in some cases the world . In these cases , we are utilising VPN and software defined WAN to bring these devices back onto a virtualised network for assessment .
There is a little more time spent scoping the assessments with the client to ensure that we have sufficient coverage and perhaps a little more setup but otherwise the methodologies , tools and techniques remain largely the same . The threat landscape is always changing and a pen tester will consider this as business as usual .
What advice would you offer SMEs to ensure they are adequately protected ?
While security assessments may seem like an expense that can be delayed until business picks up a bit , the cost of a breach can be far higher . I always say that while security hardly ever adds to the bottom line , it almost certainly protects it .
Organisations must not be complacent as with cybersecurity , past history certainly does not provide a guide to the future . Just because you have gone years without any known breach does not mean you will not have a major incident tomorrow .
SMEs should seek advice from security professionals to understand their attack surface and then take steps to discover and resolve or mitigate any vulnerabilities .
Ensuring that operating systems and applications receive timely security patches is essential and remote working must not be an excuse to delay this . Where possible , multifactor authentication should be used on all accounts and staff should be provided with training to help them avoid the more obvious phishing / social engineering attacks .
How should SMEs be planning for the year ahead ?
We see all too often that SMEs do not have a dedicated budget for a security programme and this is a good time to change that for the year ahead . Whatever budget you can afford , an experienced security consultancy will help you prioritise and get the most benefit for the budget you have .
If you do not have an architecture diagram showing the relationship and data flows between your systems – whether they are owned by the organisation or a third party – then the creation of this should also be a priority .
It is very difficult to protect what you do not know and good documentation will not only help identify your attack surface but will also be invaluable in containing and recovering from an incident should the worst happen .
Plan for regular vulnerability assessments – once a year is simply not enough as new vulnerabilities are being discovered frequently . Having just one device on your network that does not get patched could be all an attacker requires .
Plan to replace any tactical solutions that were rushed in during the COVID-19 pandemic with strategic solutions that have been assessed from a security perspective . �
36 intelligent
. tech
Intelligent SME . tech