By Stephan Neumeier, Managing Director for Asia Pacific at Kaspersky
The attacks taking place on small and medium enterprises (SME) are becoming more sophisticated, meaning that they cannot be easily prevented by traditional endpoint protection mechanisms. In such cases, timely incident detection is essential to minimizing any potential negative impact. However, this challenging task cannot be done without enhanced endpoint visibility, exploring suspicious activities and understanding attack execution processes.
From our experience, SMEs understand that they need to improve their security capabilities and they usually contact our sales representatives to enquire about our products. However, for an organization where its IT department is responsible for cybersecurity—as is typically the case for SMEs—translating this intention into practice can be hard.
They simply don’t know where to start. It may seem that the ideal plan is to buy a solution that combines all the high-profile features at once.
But what can go wrong with this approach? Will the companies be able to sift through all the data and events that modern Endpoint Detection and Response (EDR) solutions provide, as well as distinguish between false alerts and real threats?
Serious functionality involves big investments—and it’s not only about money
First of all, it is a matter of price. A Kaspersky report, ‘IT security economics in 2019: How businesses are losing money and saving costs amid cyberattacks’, shows that, on average, the share of spending on information security equates to around a quarter of an entire IT budget. This is true for both small and large companies but in absolute numbers, there is a significant difference.
Spending on cybersecurity in organizations with 50-999 employees is estimated at $267,000, while their counterparts with more than 1,000 employees spend $18.9 million on average. So, a solution intended for enterprise customers may not suit smaller businesses’ budgets.
Moreover, required investments are not only monetary. Enterprise-grade products may be hard to install and integrate with existing security solutions. In an enterprise with a large IT security department, some staff can simply devote their time to this task. This can be an issue for a smaller company though, as fewer employees are responsible for maintaining the whole infrastructure.
Don’t use a sledgehammer to crack a nut
Of course, all these efforts are worthwhile when a new security solution benefits the company’s level of protection. But in practice, even if an SME manages to secure a budget and implement an enterprise-grade solution, without sufficient expertise in information security, it will be difficult to fully leverage the scope of functionality.
First, the advanced functions may simply be irrelevant to their particular requests. For example, if a previously unknown suspicious object is detected, some organizations that are not very mature in cybersecurity just need to know if it is malicious, or needs blocking. Meanwhile others just need a full picture of the object’s actions and background for a deep investigation. It is important to understand what an organization’s requirements are and what its existing team can work with. Depending on this, a company can decide whether they are ready to purchase, for instance, a sandbox designed for security researchers.
Secondly, products which were created for security analysts are not appropriate for a “set-and-forget” approach. For example, a feature-rich EDR solution requires a team of expert analysts capable of tuning the detection logic and creating new rules to continuously improve detection levels. Without such specialists, the solution’s ability to proactively search for indicators of intrusion will not be useful.
It is common in SMEs for a system administrator to manage an endpoint protection solution. But even EDR, which provides essential capabilities, requires an employee with basic cybersecurity knowledge. Of course, hiring a full team of threat hunters or advanced security analysts at once is hardly a feasible task—such professionals are highly-paid and quite rare to find. Therefore, it is worth starting with an employee who has knowledge in information security. Combined with an understanding of the IT landscape, this allows for validating alerts, eliminating threats while taking into account the risks of their actions, such as isolation of a certain workstation or server, or stopping a critical business process.