Sun Branding Solutions CIO Kevin Evans oversees a seven-person IT team that supports a company of around 550 employees but has security risks that go far beyond its own internal operations.
"As an SME we are very often an easy route into a big enterprise, whether that's the MoD, a supermarket, a boat builder or a large logistics firm," Evans explained at CIO UK's SecurIT event at the Shangri-La Hotel in The Shard in London.
"The average SME has got zero dedicated IT cyber security staff, yet we hold IP as part of the SME supply channel that belongs to much bigger companies, who probably invest very heavily in their own cybersecurity and then hand their data off to us and just trust that we're going to look after it with equal skill."
Cyber criminals target SMEs because they're normally the weak spot, and breaching their defences can gain access to data, networks, and financial information to far larger companies. This means that the security practices of small companies need to also protect their clients.
Evans' own company is the branding and marketing arm of multibillion-dollar US giant Sun Chemicals, and manufactures labels for products sold by leading global retailers such as Walmart, the largest company in the world by revenue. Around 80% of grocery shopping goes through Sun Branding Solutions before it reaches shop shelves.
It takes 48 weeks for a grocery product to go from an idea to an item available for purchase, and three years for medicines and vitamins. This gives cyber criminals a long window of time to steal valuable commodity information.
If Sun Branding Solutions received an order for Nurofen packaging, they would be told the exact name, look and feel of the product, the packaging details, the ingredients shown on the box, how it will be sold and in which markets it will be available. And they would have those three years before it's on the shelf.
"It's not just amateur hackers that are trying to get into these," says 2017 CIO 100 member Evans, who was appointed Sun Branding Solutions CIO in 2015 after two years as its development support manager.
"If you're in a counterfeiting drugs market, that's big organised crime. And I've got that data just the same as [FTSE 100 health products company] RB has got the data about their new Nurofen product launch. Which one of those is the harder one to hack? Me, the small SME, or RB with their big data security teams?"
Protecting data on a budget
Evans has implemented a comprehensive and secure backup restore strategy to protect his company and its clients. He also relies on the cloud for security and to make rapid restoring easy, and on self-managed VPNs between sites to reduce the complexity of connecting for users.
“The cloud has some risk, but actually it takes away a lot more risk than it adds because now I've got hundreds of security professionals working on maintaining that infrastructure, maintaining the engine and so on," he says.
"It's changed my IT staffing needs - I need people who can work with partners to extract value from technical partnerships - but it doesn't fundamentally change the data that we're collecting, and it doesn't change anything internal about the way we're processing it."
He also benefits from outsourcing some cyber security services to Symantec, which adds holistic security from an external network of highly skilled people. A partnership with Insight has helped change the company's IT infrastructure, and close collaboration with Microsoft's developer ecosystem ensured that code writing for applications is secure from the outset.
"Since introducing this I've managed to cut my budget in terms of what I've spending and at the same time I've got 24/7 security monitoring," says Evans.
"I defy anyone in this room to monitor a four-continent, nine-country ecosystem with just seven IT staff in-house and still provide 24/7 security coverage. We've got that."
"Some 93% of SMEs surveyed by the federation of small businesses say they invest in security, but 66% of them still say they're victims of cybercrime, which suggests that somewhere along the line that investment is either not enough or not working," says Evans.
Evans has analysed the security of his own IT systems through Symantec to ensure Sun Branding Solutions doesn't suffer the same fate.
The results showed that the company is on the receiving end of numerous scans and automated attacks but is able to resist them. They have internal illegitimate login failures per month, although none have been malicious, and some unsuccessful external illegitimate login attempts, none of which have been successful - and viruses are detected.
"We started doing this monitoring at the start of 2016," says Evans. "We know this stuff is happening and we're catching it. All of the rest of the SMEs in the supply chain are probably blissfully unaware of the fact that this is happening, and they're probably not catching it."
The company was also the victim of a ransomware attack when a malicious link in a PDF that was attached to it was opened by a staff member, but the threat was averted thanks to their data being backed up.
"Two-thirds of the UK's SME community paid up on ransomware attacks in 2016," adds Evans. "They're doing it because the backup restore strategy that they had didn't work."
SMEs such as Sun Branding Solutions need to remain nimble to experiment and innovate in a manner that their customers cannot.
“We are a company that generates tens of millions of pounds a year producing waste," says Evans. "We make the labels that encourage you to pick up a product on a supermarket shelf and put in your trolley and take it home, you take it out the thing that we produce and you'll throw the thing that we produce away. And that's the sum total of our value to the consumer.
As such Evans said the organisation was constantly looking for ways to reduce costs which they do not want to pass on to big-name customers, which means Sun Branding has to innovate.
Shadow IT can aid innovation in the company but also bring risks. Evans can stop staff from installing software, but can't manage their every action, such as writing information in personal emails or on post-it notes.
Monitoring the traffic helps him see that the right data is being sent out and that people are doing what they should be. He gives staff the latitude to experiment so he can identify any errors they make in the course of their trails and ensure that data can be backed up atomically so that individual mistakes don't have disastrous consequences.
The increased requirements for data stewardship that GDPR will enforce is more of a business than an IT issue, but knowing what he has and where it is helps Evans understand what he needs to protect.
He uses predictive models to estimate which people will need which files and the locations where data will be required, and who will need to have access to certain files.
This can save time and resources in a number of ways, such as speeding up the transfer of large data to India. An inaccurate prediction may expose a need for fine-tuning, but it could also identify that an individual is carrying out a task incorrectly.
"More of our predictive failures have been a result of someone doing something that they shouldn't have been doing that as a result of our model itself needing retraining," says Evans.
As part of his PhD, he is also currently investigating using synthetic biometrics to see if someone is typing and using a mouse in an unusual and unsuspicious pattern. Managing a small IT team at an SME clearly is no barrier to innovation and Evans has embraced safe experimentation to improve cyber security.