Over the last years, numerous studies have demonstrated that small- and medium-sized enterprises are the main victims of economic cybercrime[1][2]. Beyond the initial suspicion regarding the origin of such studies (it could indeed be primarily a marketing attempt to enter an almost still-untapped market), the cost to fight cybercrime is undoubtedly an issue.
And although awareness-raising campaigns could have enabled such small structures to understand the importance of cyber risk, a safety expert remains a rare and costly person, and the implementation of efficient software solutions requires a certain level of expertise. The problem is further heightened in start-up companies, since they combine innovation and inability to invest in cyber protection, whilst their informational assets are precisely very attractive for a cyber attacker.
In such an unfavourable macroeconomic context, how can SMEs reconcile their growing needs for cybersecurity and their budget? Would it not be interesting to design decision support systems that would befit their size, and thus their cyber expertise?
Decision Support & Expert Systems
Decision support, also called operational research, refers to those rational techniques and methods that enable to make the best possible decision. It uses a conceptual and mathematical modelling to analyse complex situations and enable decision-makers to arbitrate without mastering all the concepts underlying the issue at stake.
An expert system is the software side of decision support, which reproduces the cognitive mechanisms of experts in their fields. It is able to answer questions by connecting facts and rules in an inference engine mainly based on syllogism.
In the field of cybersecurity, SIEMs (Security Information and Event Management) and IDSs (Intrusion Detection System) are examples of expert systems. SIEMs, for instance, use a correlation engine to connect several events to a single cause, thus simplifying the work of experts, who use them to perform a task that was formerly theirs. Even though such software applications can be seen as mere tools, they actually integrate and implement a first level of expertise and reasoning.
Access to Cybersecurity: Minimum Security Threshold required
If human experts are too expensive, and security tools are designed solely for them, there is a need for a software solution that could enable small entities to protect themselves with provisions similar to those proposed by experts.
A thorough assessment of security software applications shows several things:
– Freeware offers all the solutions required to make a detailed map of a network and its software environment, identify security flaws and even detect intrusions.
– Such applications do not display information in a way that novices can understand and do not offer a clear solution to a problem that they do however identify.
Holding all the cards, we could design an application able to determine and analyse a company’s network topology and to suggest changes that could considerably raise the security level. The idea would be to combine the analysis capabilities of the existing software applications with a crystal-clear and integrated manual, which would guide the novice step by step through the corrective actions to be implemented.
The facts and rules of such an expert system would integrate the known vulnerabilities and the basic technical rules of IT security (closing unused ports; keeping the software environment up to date; etc.). This would complement the awareness-raising campaigns aiming to reduce human negligence in the field of IT habits and security – in particular as regards vigilance with attachments.
Decision Support in Reacting to a Cyber Attack
The protection of novices requires to treat the aspect of response to attacks, since every single company will face a cyber attack one day or another. As with first aid for humans, the rapidity and efficacy of response will determine the impacts of the attack.
The first response within the reach of an informed user is to isolate the compromised element. However, such isolation can also regard a sensitive element, whose integrity and confidentiality must be preserved, even if it means temporarily sacrificing its availability (while awaiting the intervention of a CERT).
It is an ideal opportunity to remind users the best practices[3] in the event of an attack: preserving all evidence; not turning off infected stations to avoid losing information about the malware; etc.
Such software could be created by a cybersecurity company, which could thus promote its own solutions, for instance by highlighting them within an array of free solutions. We can also imagine a modular software, based on a proven business model: a free basic version, and paid versions with advanced features (which would include an IDS and decision support for response). Such scheme would enable the provider to accompany its client companies in their development, building their loyalty right from their infancy.
However, although such software could be profitable, it is first and foremost a national issue and would thus certainly be supported by the State. Indeed, raising the security level of SMEs means protecting them better against non-targeted attacks and making them less attractive targets than the companies located in other countries.
Beyond cyber attacks targeting an immediate gain (theft of customer data; ransomware; etc.), rival-sponsored cyber pirates, be it a state or a foreign company, are attracted by the innovations developed by small entities. On the other hand, subcontractors are often the weakest link for serious attackers wanting to breach the security of a large corporation. It thus becomes strategic for a State to make sure that small companies are able to protect themselves until they reach the critical size that will finally enable them to afford a security expert.
It may seem naive to think that such a software could have a real impact, but actually, we know that the DARPA is working on the design of an automated offensive system[4]. If such a system can be made effective, the feasibility of a defensive equivalent is merely a question of means, and thus becomes, in the end, an entirely political issue.
[3] http://www.cert.ssi.gouv.fr/site/CERTA-2002-INF-002/index.html