Enterprises call for government to improve security practices of SMBs

Enterprises call for government to improve security practices of SMBs

Summary: While large enterprises are capable of handling their own security, they are finding that small and niche businesses in Australia are unable to cope with the security of storing data on behalf of the large companies, CERT Australia has found.


Issues with smaller players not being able to meet computer security provisions inserted into contracts with larger corporations have led to calls for the government to step in and help form a partnership with industry to bring local small businesses and niche players up to scratch, said Mike Rothery, first assistance secretary of the National Security Resilience Policy, Department of Attorney-General.

Speaking at the Gartner Security and Risk Management Summit in Sydney, Rothery said that 35 interviews conducted with industry during the process of CERT Australia becoming part of the Australian Cyber Security Centre had revealed quite a paternalistic relationship existing within the IT supply chain.

Rothery said the interviews examined the role of government within the IT industry and security, and found that businesses with a high level of maturity do not look to government for assistance when it comes to the security of their own systems, with those companies well aware of the risks of doing business online and managing those risks.

"What they do look for government to do, interestingly, is to actually help them manage their own supply chain," Rothery said.

"Because what a number of large organisations said to us was: 'We're good. We're on a path, we're not there yet, it's a constant struggle, we've got to keep reinvesting in it. But our problem is that although we put cybersecurity conditions in a whole lot of our contracts with our suppliers, they're not worth a cracker — because a lot of those people that we want to contract to, actually, are not competent to manage the security of our information inside their network.'."

According to Rothery, that does not mean that large corporations want to cut SMBs adrift; rather, they want to lift the standards of those companies.

"Some of the large corporations that wanted to do business with niche providers, particularly in terms of nice software development, had in the previous decade put highfalutin requirements in the contracts that people signed, but actually have now come to the view that very few of those organisations are actually capable of fulfilling those obligations," he said. "So rather than trying to manage the risk through a risk of litigations, effectively suing people if they get it wrong, that's not the relationship that they want to have.

"What we heard in terms of what the role of government is ... 'We need to bring up those other elements of corporate Australia that have not reached that level of sophistication, but we need to do it in partnership because we know this is not something that government is necessarily the beneficiary of, we know that actually the whole of the economy is the beneficiary, and we need to do some of that heavy lifting ourselves'," he said.

The motives for the larger corporations are economic, with businesses not wanting to deal with a small number of companies that could begin to gouge prices.

As a result of the smaller businesses being seen as unable to handle corporate data securely, Rothery said that CERT Australia has noticed many major corporations change the relationship with vendors, and, rather than signing an open-ended contract and handing data over, are choosing to handle security themselves on the smaller vendor's systems — effectively reaching into vendors to create a "secure enclave" worthy of handling their information.

One example offered by Rothery of such a situation is a separate IT environment under the control of the customer, provided for the development of a product.

"[It is] basically saying: 'We like your product, we think you have a niche capability, we can see this as being a competitive advantage in the marketplace — but you are not capable of doing the security yourself. It's a big stretch to ask you to be experts of that in addition to the innovation that we are seeing in your other products. We will partner with you'," Rothery said.

Cloud maturing, but not yet ready for government

Speaking about the uptake of cloud computing services within the Australian government, Rothery said that the main pain point for agencies is not about the benefits of cloud usage, nor the environment used within those services, but rather what the environment will be in five years.

"If you are wondering why the Australian government has been probably a little bit reluctant to dive into cloud ... it's just that issue about how do we get that information to be able to access the risk, and how do we know that when we make a judgement about the risk, it will be for the life of the relationship, and that we won't find that information has migrated, contracts have changed, data warehousing has moved into third or fourth countries without actually knowing about that in advance.

"The service delivery agencies in the Commonwealth are probably the first movers — the national security agencies, often because they work in air-gapped non-internet connected systems, are probably in a luxurious position — it's still fairly early days."

Topics: Security, Cloud, Government AU, SMBs


Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • A much bigger problem than anyone's talking about

    This is indicative of a very large problem - small businesses account for something like 48% of employment and 32% of GDP growth in Australia. That's not 'SMBs', that's just small businesses. A business with 19 or fewer employees.

    These businesses not only lack the budgets to have any hope of adequately securing their infrastructure in the face of the extensive threats arrayed against them on this battleground called the Internet, they usually don't even have access to decent advice or technical expertise on the subject. Very very few small business owners have even the slightest comprehension of and appreciation for the level of risk posed by the loss or compromise of their IT assets, nor do they approach it as anything but a cost centre to be minimised as much as possible.

    To date this sector has had an insignificant impact on the economy generally resulting from security breaches - sure, they hurt the individual businesses and owners badly, but each event on its own poses very little overall risk to economic sectors.

    However, despite the extremely fractured and dissimilar nature of the systems in use from this disparate collection of millions of people, they do have several common factors - they mostly run Windows environments without hardened security, edge firewall or IDS and they have no monitoring of their networks (they're lucky if they have manageable network equipment). We know that malware, viruses and hacking have gone professional, conglomerated into organised crime syndicates, while foreign governments and militaries have their own secret hacking programs, facilities and special ops units.

    Small businesses are the weakest link in the security chain - they need IT systems, but they can't afford to secure them (other than the most cursory sense). It will only take someone dedicated to exploiting this fact who devises a compromise to a key part this matrix (say Windows or a tax department man in the middle attack during July) that could lead to a concerningly large proportion of the small business sector (and probably the general public) being compromised.

    So how big an impact on the national economy will it take before people start looking at this seriously? Everything we've seen up to this point other than Stuxnet has been child's play, mere idle tinkering. There is a lot of bad software out there, much of it running on your computer. Serious dollars are bringing serious effort from some prodigiously intelligent people to bear on this situation, and poor software development practices for decades have left a legacy of potential exploits that will allow our systems to be ripped wide open.

    Unless governments and large enterprise start to seriously assess the risk of small businesses suffering mass compromise, and proactively develop some plans, strategies and budgets to tackle this colossal problem, we are all in for a rude awakening within the next few years.