So I agree that prescriptive is a great way to go and it helps particularly under-skilled or under-staffed businesses get a recommendation as to how to deal with the problem, but fundamentally the problem hasn’t changed in fifteen years.
Craig Possibly one of the issues on that is that consistently this topic isn’t hitting the boardroom table. It remains an IT compliance risk. It’s not really getting the mindshare in the boardroom that it needs.
Sean Compliance is often seen as a technological problem, something to be dealt with, not across the whole business and so it doesn’t get the attention it needs. When you’re comparing the cost of doing nothing to the cost of doing something, and the cost of doing nothing is not visible on the balance sheet easily, and it impairs the abilities and I think the partners more than the vendors have to be the trusted agents in there, because they are the people who, especially in the small to medium range, know the law. Around about 2000 the awareness of the Privacy Act was much higher, because it was new, and now it’s often seen as ‘well we’ve got somebody looking after that we think’ so there isn’t the attention to it.
CRN Sean you recently gave a very damning assessment of the SMB space in terms of their security awareness, but it seems as though we’re saying the awareness of security issues in the enterprise is still lacking, so what chance do the SMBs have?
Sean If you’re running a small business, you have to be looking at what the business is doing, and that has to be your focus if you want to survive, if you want to make money. If you don’t have the ability to employ specialist security staff, and let’s be honest, no small business has that as their priority, unless they are specifically dealing in military or law enforcement, then it has to be an ‘also ran’ to the overall business model. The ability to provide managed services goes a long way towards that and I think that’s going to become something that people rely on much more in that small space.
CRN That’s presumably the big opportunity for systems integrators and resellers right? The SMBs don’t have the money to hire the specialists internally and in comes the channel.
Aaron I think that a lot of the hype around Privacy Awareness Week was really focused on the repercussions and the fines aimed at individuals in the organisation. What we try to achieve is a pragmatic way to educate our clients. We have four key principles in the way that we go to market. It’s principally around visibility, awareness, protection and agility. There are multiple ways, controls, tools and indeed consulting services that are available as a cost effective way to gain more visibility into the actual threats.
The personal information or data in general needs to be valued and classified. There’s a lot more value in health records for example. Or tax file numbers compared to marketing database that just has names and email addresses. By educating customers to get some visibility into the real threats and business context, they actually have awareness of what the real risk is to those assets, and they can make an educated decision on how to protect them.
CRN We’re obviously talking about a significant auditing task.
Aaron Yes, and we have 160 security staff nationally, about 25 of those are focused on consulting. We do government risk compliance and consulting against standards. The OECD actually released a decent practical guide that had a number of questions for clients to self-assess. I understand that a lot probably won’t read it, but they should certainly go through the questions. I think it’s an opportunity for the channel to actually take those and package those into a consultative approach and help them on that journey.
CRN How good a job would you say your partners are doing with that?
Aaron A reasonably good job. Certainly during the Privacy Awareness Week we invented a Privacy Impact Assessment – I know of at least one of our partners sitting at this table who was partnering with a legal firm as well to provide a similar privacy impact assessment type, and that was all effectively built and launched through Privacy Awareness Week, and so I think there is a fairly good job being done.
Keith My research has focussed on the concept of situational awareness, and that’s what we don’t see with a lot of SMBs; the real situational awareness that they have about why they would be a threat. Managing compliance is really just a risk and certainly it’s an operational risk and back to Sanjay’s point, that’s absolutely on the operational risk side that we would manage IT risk and information security risks.
There is a lack of general situational awareness in a classic security sense. Just like when you walk down the street at night, that situational awareness that we have to be aware of the threat, where you’re vulnerable, who would want to attack you, how they’re going to attack you, what they’re after. Those are the things that I think a lot of people that we’re talking about just don’t do. They just don’t do these basic fundamental things.
CRN So what’s the answer? Do you use fear to make them more scared?
Craig This is not core business for SMBs, so there is a massive opportunity for the channel and managed service providers to provide that situational awareness to their customers.
Sean That understanding of what makes you a target is very, very low. Attackers are not specifically targeting every business, but there’s a huge amount of opportunistic attacks. The price of a compromised PC is a saleable commodity with about 30 or 40 different uses, depending on what you’re doing, so you can commoditise the infected machines, but also if you’re part of a larger supply chain, you can be a target. No-one’s too small to be a target, but not everyone is a target. If you’re a contractor working with somebody developing a new building in Canberra for instance, and you’re a small construction firm, you may be a target even without being aware of the fact that that makes you a target.