back to article Check Point chap: Small firms don't invest in infosec then hope they won't get hacked. Spoiler alert: They get hacked

"I don't want to have a job any more," said Check Point's Dan Wiley, sitting in a fashionably nondescript London coffee shop. "I don't want to have to do my job. It means that we failed." Far from being depressed, Wiley was expressing the forlorn hope that infosec as a field would be less dominated by malicious persons trying …

  1. Anonymous Coward
    Anonymous Coward

    Small businesses often don't have the budget for decent infosec.

    At the lower end of the market there is so much upsell it's crazy. So even if they do invest they feel as though they haven't got as much security in place as they could have because they're not paying the £25 per end point per month for the "premium" features.

    Not only that, a lot of smaller businesses won't hire an infosec professional to look over their setup. Usually in the advice of their "IT guy". Probably because the IT guy doesn't want all of his dirty secrets exposed.

    Well fun fact IT guys. Us infosec folk understand your situation, we know the corners you're forced to cut and we generally don't expose you to the client. That's not our job.

    Our job is to work with the technical staff...at least that's the way I see it...which is a damned sight easier than what you do...we don't have to deal with Betty from Accounts for the 89th time about that fucking label printer, we deal with Dave in IT...we look at your firewall rules, patching strategy, security policies and we help you tighten them up in accordance with your budget and the way the business operates...then have a beer afterwards...in fact we might be the only suppliers that will buy you beer!

    So relax, we're not here to steal your job, make you look bad or undermine you...we're here to take some weight off.

    1. Anonymous Coward
      Anonymous Coward

      "Small businesses often don't have the budget for decent infosec."

      To be fair, a lot of larger companies *do* but prefer to save it and spend it on shite (like PHB bonus payments etc etc).

      Its never about doing the right thing. Its never about providing a great service. Its never about providing a secure service. Its all about risk management. How much can a PHB avoid spending based against what it will cost them if it all goes wrong. Note that I said 'them' and not the company. If the company goes under, those slippery barstewards always seem to come up smiling.

      Personally I have no issues with someone looking over what is going on. 9 times out of 10 I will be using *YOU* to back up my recommendations, and its great to have someone impartial do a sanity check. I have been a party to several security audits, and I have sat there with the auditors and told them where to look (even auditors sometimes miss things).... The kicker is, out of all of those audits, the company involved STILL did fuck all about it.

      1. Mike 137 Silver badge

        Not even risk management really

        "Its all about risk management. How much can a PHB avoid spending based against what it will cost them if it all goes wrong."

        Fair comment - unfortunately this is what most businesses think of as risk management: "what's the least we can get away with to [keep the regulator quiet/avoid getting fined/ &c."

        Real risk management is about proportional allocation of resources to provide adequate protection. But even when (rarely) businesses try for this, the big problem is that everyone thinks all you need to do is guess about both likelihoods and consequences. I haven't found a single commercial risk management training course that covers the basic principles of probability, and almost nobody actually investigates threats or vulnerabilities. They just sit round a table "brainstorming". Consequently the results of risk assessment tend to be total nonsense.

      2. Anonymous Coward
        Anonymous Coward

        "The kicker is, out of all of those audits, the company involved STILL did fuck all about it."

        Usually because the auditor will flag things as "actions to review at the next audit" which could be as much as two years away. By which time the system has changed sufficiently that it appears action has been taken but the problem is effectively the same, at which point the problem is flagged as an "action" again. Wash, rinse, repeat...as infinitum.

    2. Doctor Syntax Silver badge

      "Small businesses often don't have the budget for decent infosec."

      They always have budget to fix the consequences. Well, maybe they don't always but if they don't it also means they don't have the budget to survive.

      1. P. Lee Silver badge

        If Checkpoint are seeing these problems, does it mean their product doesn't help?

    3. Anonymous Coward
      Anonymous Coward

      > a lot of smaller businesses won't hire an infosec professional

      > to look over their setup. Usually in the advice of their "IT guy".

      > Probably because the IT guy doesn't want all of his dirty

      > secrets exposed.

      Yes, I can identify with that....

      Would anyone like to hazard a guess what it would cost to have “an infosec professional to look over their setup”? Say a 1-employee tech company with a modest collection of AWS thingies? Asking fir a friend.

      1. Anonymous Coward
        Anonymous Coward

        Probably £300-£500 a day.

        £750+ if the infosec guy likes the smell of his own farts and has a CompSci degree from somewhere like Oxbridge and little to no experience working up through the industry.

        Ironically, the latter chap will do a shit job and leave you exposed.*

        *See: Every massive business that has been hacked. Ever.

        If it comes down to picking between two candidates. A fresh looking dude in a suit with a leather satchel, Mac and ear pods and a scruffy dude with a massive rucksack, two laptops, 3 of every cable, hard drives for days plus 6 packs of super noodles.

        Pick the dude with the noodles. That's experience right there. He's there til the job is done. He's going to bail your ass out.

        Bonus points if the scruffy dude turns up with his own switch and a pre-prepped 2U server in his car.

        Pick the fresh dude if you're a startup and you need a face for the team page on the website.

    4. BillG
      Mushroom

      Email

      "Email's been around for 50 years," he said, cheerfully cursing as he continued: "But it's been around 50 years and we're talking about the same attack vectors: phishing; malware; manipulations; and all other delivery mechanisms. Email makes it so easy to deliver. And we still haven't dealt with it."

      Working on my own I can afford the time to look at each incoming email. But when I was a Product Manager at a large company I received over 200 emails a day & I was expected to clear each of them before EOD.

      The most common attack today is probably the phishing email, sent to an overworked middle-manager, at the end of the month, with body text containing enough insider language to seem legit at a glance.

  2. Cuddles Silver badge

    Small firms?

    Shouldn't that just read "firms"? As we see on a weekly basis, large firms are just as incompetent.

    1. HildyJ Silver badge
      Facepalm

      Re: Small firms?

      Amen.

      Firms, small and large, private and government, view IT security as a cost, not a requirement. Shareholders are only concerned with the bottom line and most consumers don't seem particularly concerned about it at all.

      1. Alan Brown Silver badge

        Re: Small firms?

        "Firms, small and large, private and government, view IT security as a cost, not a requirement. "

        Insurance companies know that.

        The ones who DO offer "cyberprotection" policies have T&C in the acceptance offer which would make the ransom moot as everything can be restored from backups - and if not, they can decline to payout on the basis of non-compliance OR set the insurance excess high enough that the company will blink.

        And of course, having been reamed once, the premiums will go up by a factor of AT LEAST 20 until the company has demonstrated compliance with T&C

        (Yes, I 've seen insurers offer 'cyber' policies - and then had to point out to the proud business owner holding one that the T&C in them mean that it's worse than useless including penalty clauses should the owner not meet conditions - PCI DSS compliance rules are generally minor by comparison)

        It's _not_ in an insurer's interest to pay ransoms for the same reason you don't pay Danegeld and many insurers don't feel restrained by national boundaries when it comes to loss recovery in the same way that police forces are

        (ie: if they actually PAY a ransom, then the people making the demands are going to need to be looking nervously over their shoulders for the rest of their lives as you can pretty much assume that the insurer passed it to an underwriter who's determined to discover where the money trail goes and isn't picky about the legality/ethics of getting that information as long as it's accurate.)

        Even if not driven home by insurers - the sizes of the fines now being proposed under GDPR, etc etc are making businesses realise that IT is far from a "cost" to be minimised. RIght now we're at the stage where they regard enforcement as unfair - as they did with HSE laws back in the day, but if the ICO doesn't back down on the BA fines (as one example) then this kind of risk will change the way things ar appraised - and beancounters being congratulated/given bonuses for shaving costs are just as likely to find those bonuses being clawed back (and then some) if the "savings" turn out to be responsible for the mess and the fines.

  3. ClownBeer

    A lot of small firms get hacked because of the ignorance of senior members of staff. On the flip side, there's a lot of companies out there basically selling snake oil whilst others are simply price gouging for the hell of it with the "promise" of "Making your systems bulletproof".

    Majority of attacks succeed because of poorly configured systems coupled with extreme "I know better" attitudes so prevalent in the security sector right now.

    1. Alan Brown Silver badge

      > Majority of attacks succeed because of poorly configured systems coupled with extreme "I know better" attitudes so prevalent in the security sector right now.

      Nope.

      The VAST majority of attacks are Mitnick-style social engineering jobs. You can configure a system as tight as a gnat's ass, but if the CEO overrides that, your security is toast and not for technical reasons.

      It will take a few C-level staff up against the wall before that changes - and this is where regulators (personal responsibility) and insurers (industry blacklists of irresponsible management - don't think they don't exist) come in.

  4. James Ashton

    Paying for Infosec is a Competitive Disadvantage

    For a small business you can get away without infosec for, on average, a long time before it bites you. If you pay for it when your competitors aren't then you won't be as competitive as they are. Maybe the rise and rise of ransomware will have at least one up-side: disastrous compromises will become so common that, finally, most people will take infosec seriously.

  5. Pascal Monett Silver badge
    WTF?

    What the ever-loving frack ?

    You need 3 different security firms to ensure you can use Office 365 in peace ? Here's an idea : don't use Office 365. Go back to 2016.

    Also, companies that don't have backups today should not be covered by insurance. There is no reason to insure a company that doesn't give a rat's ass about its data. You got ransomed, your data encrypted and you don't have a backup ? Tough. Start over and learn to make backups.

    There is no excuse for supporting the lazy incompetents that can't take care of their data.

    1. Danny 14 Silver badge

      Re: What the ever-loving frack ?

      I know for a fact that our insurance had sections for ransomware, backups and AV.

      1. Alan Brown Silver badge

        Re: What the ever-loving frack ?

        "I know for a fact that our insurance had sections for ransomware, backups and AV."

        Have you ever tried to USE those sections, or looked into the T&C plus exclusions on those sections?

        Those sections are there for a reason - many insurers will void the entire policy on a breach in one part and by having them THEY have done their due diligence.

    2. veti Silver badge

      Re: What the ever-loving frack ?

      Oh yes, that'll fix everything. Office 2016 was soooo secure.

  6. Anonymous Coward
    Anonymous Coward

    "A senior exec at a security company that is stoking security fears to sell more security, who's have thunk it. But he has a point."

    Just have just added the 'Sponsored' tag .... interviews like this are always vendor-centric and completely compromised.

    1. Anonymous Coward
      Anonymous Coward

      Really...?

      You are going with the "conflict of interest" angle...?

      How about proving any of the points in the article wrong...?

      Bet you can't...

  7. John Savard Silver badge

    Obviously people don't want to spend more money than they absolutely have to.

    The solution is clear.

    Make operating systems completely secure, so that you don't need to buy anything extra.

    Severely punish attempts to compromise computer systems, so that no one will dare to try for nefarious purposes. This solution is great, because its costs are borne entirely by the people whose fault it is that we have a problem. (Maybe tax software companies that make imperfect operating systems to pay for the hackers' bread and water while they're in jail.)

    Cut off internet and telephone connections to countries that don't fully cooperate in prosecuting hackers, like Russia, China, and North Korea.

    1. Doctor Syntax Silver badge

      "Make operating systems completely secure, so that you don't need to buy anything extra."

      Great idea. Where are you going to start?

    2. doublelayer Silver badge

      Why didn't I think of that? You're truly a genius. Let's implement those immediately!

      "Make operating systems completely secure, so that you don't need to buy anything extra."

      Completely secure means it is entirely impossible for a malicious party to do anything unwanted, no matter what access they have. So, if I can use physical access to read a file that I shouldn't be able to, then it's not completely secure. So we'll have to eliminate all operating systems in existence.

      "Severely punish attempts to compromise computer systems, so that no one will dare to try for nefarious purposes."

      Your wish is my command, and fortunately for you, I happen to set the laws for the entire planet. Computer intrusion is now punishable by death. Problem solved, no? Well, you're missing one major thing, which is that we can't find a lot of criminals because they operate behind proxies and often across national borders. But I believe you had a solution to that, so don't let me get ahead of you.

      "This solution is great, because its costs are borne entirely by the people whose fault it is that we have a problem. (Maybe tax software companies that make imperfect operating systems to pay for the hackers' bread and water while they're in jail.)"

      Oh, good. The costs for finding the criminals will be paid by those criminals. Wait ... how? What if we fail to find them? How do they pay. Can we make up a fake bill for finding them and catch them when they come to pay it?

      "Cut off internet and telephone connections to countries that don't fully cooperate in prosecuting hackers, like Russia, China, and North Korea."

      Sounds great. Who wouldn't want to close the China market to all companies and customers in other nations? Certainly not me. Down with your connections. I'm cutting all your lines immediately. Now, listen here, China. You better not set up any more lines, or satellites, or let any hackers out of your country to use someone else's connections. Also, you shouldn't get angry that we've cut you off and respond aggressively. We wouldn't be happy. And you'd better not form an alliance with other countries we've done this to to replace the internet and effectively turn the connection-cutting policy back on us.

  8. unbender

    How about SMBs implement the basics

    In no particular order:

    1 Enable Windows Defender (it's a freebie), or whatever end point protection you prefer

    2. Disable local admin rights

    3. Remove write access to archived (old) files

    4. Setup and maintain proper backups - even (especially) if you are in the cloud

    5. Restrict full admin rights.

    1. EnviableOne Silver badge

      Re: How about SMBs implement the basics

      enable the basics, thats exactly what cyber essentials was created for:

      www.cyberessentials.ncsc.gov.uk

      and for SMEs its actually achievable, mostly with stuff either included or freely available.

  9. RM Myers
    FAIL

    Insurance Risk Management?

    I would assume most insurance companies would require risk management assessments before they would cover business interruption and recovery expenses for ransomware and other infosec issues. At the very least, they should be requiring decent backup procedures and other basic security. Otherwise, your business probably should be looking for a new insurance company.

    1. doublelayer Silver badge

      Re: Insurance Risk Management?

      Why should we look for a different insurance company? This one is willing to pay out even if we've made mistakes while those other ones keep making these demands about good system configuration. If we went with those companies, we'd have to hire someone to implement all the things they're so intense about. Sure the premiums are lower over there but the salary for that new employee is greater than the difference in premiums, and we all know that second option is just going to nitpick about everything before paying a claim. And what are the chances really that we'll need coverage for ransomware? It's unknown if we'll ever get hit. As for other intrusions, they're clearly unimportant because when have I read about those becoming a major issue as much as I've heard about ransomware. But even if we do get hit with those, this insurance policy is there as our fallback. We don't need anything else.

      *The preceding program was brought to you by the finance department or, in the case of a small organization, the financials person.

      1. Twanky Bronze badge
        Coat

        Re: Insurance Risk Management?

        Why should we look for a different insurance company? This one is willing to pay out even if we've made mistakes...

        I recognise this attitude. Thing is: what's the betting that the apparently more lax and expensive insurer will baulk at paying out if the company has neglected basic security? Has your financials person read and understood the small print?

        icon: staff might as well go home now...

      2. Alan Brown Silver badge

        Re: Insurance Risk Management?

        "*The preceding program was brought to you by the finance department or, in the case of a small organization, the financials person."

        If I ever saw arguments like that I'd be looking through the policy with a VERY fine tooth comb because I'll guarantee that the "financials" people/person hasn't, or the terms in it went whizzing over his/her head.

        1. doublelayer Silver badge

          Re: Insurance Risk Management?

          Of course you would. All of us would. And all of our companies would probably call us or someone like us to go over anything that technical. The problem is when there isn't someone that technical in the place. Many small places have little or no technical assistance. Sometimes they outsource on a pay-per-request basis. Sometimes they outsource on a less expensive basis but their outsourcer won't just do any technical thing when they're asked, limiting themselves only to the specific things in the agreement. Sometimes they don't have anyone at all. For example, I'm currently the primary admin for a small charity. By primary admin, I mean to say that I volunteer some time, in small chunks, when they ask questions or I remember that I was planning to do something. They don't have a secondary admin. With that scale, unless they also have a volunteer doing it, they have nobody to ask to read their cyber insurance documents. In many cases, the person they'll forward the responsibility to will be their financials person who, without trying to do any disservice, won't know enough about what they're doing to do it properly.

    2. Jason 24

      Re: Insurance Risk Management?

      Having recently implemented synchronously replicated storage across a manufacturing plant who were looking to be insured as a 24x7 business, the insurance company absolutely insisted on having completed tests (pulling power from the entire rack) and documentation for this. That's a level of risk management being completed by the insurance company.

      Also, which insurance company is not demanding a cyber security essentials certificate before issuing any sort of cyber security insurance? Maybe that's just UK specific, does the US have a similar program?

  10. Daedalus Silver badge

    Human error

    Anecdotal evidence - OK, reddit - suggests that ego is a major issue. "I championed this, so it must be enough". Questioning existing infosec procedures tends to get a hostile response, especially when the questioner is a just-the-facts nerd and the questioned one is an over-promoted sales droid. Talk about being divided by a common language. Likewise sysadmins who've gotten used to the cushy life tend to be hostile to any suggestion that they're not doing enough - or anything at all, in some cases.

  11. A random security guy

    Secure by default?

    I think people designing and implementing software are not making software (and HW) secure by default.

    1. Alan Brown Silver badge

      Re: Secure by default?

      "I think people designing and implementing software are not making software (and HW) secure by default."

      You can'r slap on security later as an afterthought, It has to be baked through the entire pie, not sprinkled on top.

      And your first step in making that pie is complicated by the default underlaying OS having decades of legacy of not having ANY security in it whatsoever.

      It's better than it was but most people will run it wide open by default or carve out holes everywhere because programmers and vendors insist that I compromise MY company's security for THEIR convenience - and C-level manglement (or worse still - SALES) demand that it be made so (in which case get the request in writing and an acknowledgement that the requestor takes responsibility for the consequences of any resulting breach in security - your personal liability insurer will love this when it's needed)

      One example: Papercut - on linux demands that all security features be disabled to allow it to run - despite only actually needing about 3 SElinux tweaks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020