SMBs must understand and counter new digital risks

Organizations can protect sensitive data by following proper security policies, procedures

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Own­ers of small and mid­size busi­ness­es rou­tine­ly take into account the risk of a fire burn­ing down the build­ing, or a cus­tomer or employ­ee get­ting hurt on com­pa­ny prop­er­ty.

But what about expo­sure to bot­nets, data thieves, cyber scam­mers, hack­tivists and dis­grun­tled insid­ers?

Data is the new cur­ren­cy, and because SMBs now rou­tine­ly col­lect, store and access sen­si­tive and valu­able data across com­pa­ny net­works, and, increas­ing­ly, via the Inter­net of Things, a new tier of busi­ness risks has tak­en shape.

Rich Blumberg, IDT911 director of data breach response
Rich Blum­berg, IDT911 direc­tor of data breach response

Third­Cer­tain­ty asked Rich Blum­berg, direc­tor of data breach response at IDT911, to sup­ply con­text for the notion that SMBs need to exam­ine and ful­ly under­stand these new dig­i­tal risks. Full dis­clo­sure, IDT911 spon­sors Third­Cer­tain­ty.

3C: What do you tell SMB own­ers who believe they are too small for hack­ers to both­er with?

Blum­berg: No one is too small to be hacked. Hack­ers know SMB data secu­ri­ty stan­dards are often a bit low­er and, in gen­er­al, are not as sophis­ti­cat­ed as larg­er insti­tu­tions. So while it’s true that SMBs gen­er­al­ly do not have ter­abytes of per­son­al­ly iden­ti­fi­able infor­ma­tion, there are some that do have large quan­ti­ties of data because of the work they per­form or the amount of time data is stored on their sys­tems.

3CWhat is the base­line set of secu­ri­ty sys­tems all SMBs should have?

Blum­berg: Sev­er­al sim­ple secu­ri­ty steps can help SMBs guard against many of the basic data breach­es that occur today. Encryp­tion used to be a big, expen­sive-sound­ing word reserved only for those com­pa­nies with deep pock­ets. Nowa­days, almost all com­pa­nies can take advan­tage of encryp­tion meth­ods, which range from basic hard dri­ve encryp­tion to ful­ly encrypt­ed net­works with advanced PII scan­ning. Antivirus soft­ware has been on the mar­ket for many years, and sev­er­al ver­sions are free so there is no rea­son not to use this basic secu­ri­ty func­tion.

Anoth­er secu­ri­ty tool is the use of a vir­tu­al pri­vate net­work. VPNs extend a pri­vate net­work (your company’s sys­tems) across a pub­lic net­work (inter­net) to your per­son­al or busi­ness device. This is great for employ­ees who work remote­ly or trav­el often. But be careful—do your research to ensure the VPN soft­ware you use is up to snuff. Some free VPN soft­ware is not very secure.

3C: How impor­tant is cyber inci­dence response plan­ning?

Blum­berg: This is the most crit­i­cal step a com­pa­ny can take to ensure they are pre­pared for the worst. I’ve seen many com­pa­nies com­plete­ly unpre­pared for a data breach inci­dent. Because of this, they spent many valu­able hours (or days) scram­bling around nego­ti­at­ing con­tracts with ser­vice providers like foren­sics, out­side coun­sel and breach response providers like IDT911 dur­ing the most cru­cial time of the inci­dent. Instead, if they had an inci­dent response plan in place, they could focus on the actu­al response steps and ulti­mate­ly get to the bot­tom of what occurred.

3C: How vital is employ­ee train­ing?

Relat­ed info­graph­ic: Spear phish­ers take aim at CEOs

Blum­berg: Many of today’s data breach­es are the result of a lack of employ­ee train­ing. You may have heard the term “phish­ing.” This is where a thief attempts to acquire user­names, pass­words, cred­it card num­bers, HR records and oth­er sen­si­tive infor­ma­tion by send­ing an email to office per­son­nel. The email looks like it is com­ing from a trust­wor­thy source, say, your man­ag­er or a C-lev­el exec­u­tive. After click­ing on a link, open­ing an attach­ment or even respond­ing to the email, the crook installs mal­ware on your com­put­er and infects your sys­tem. Employ­ee train­ing is a sim­ple tool to aid in com­bat­ing this threat. There are many learn­ing man­age­ment sys­tems that com­pa­nies can deploy eas­i­ly to employ­ees to train, test and track progress for com­pli­ance pur­pos­es.

3C: What should SMBs under­stand about third-par­ty risks?

Blum­berg: SMBs need to under­stand who they are doing busi­ness with, what secu­ri­ty con­trols the third par­ty has in place with regard to per­son­al or busi­ness data, and the con­trac­tu­al require­ments often forced on small busi­ness­es as it relates to secu­ri­ty con­trols, breach noti­fi­ca­tion require­ments and indem­ni­fi­ca­tion.

3C: Any­thing else?

Blum­berg: Net­work­ing with oth­er SMBs can be very help­ful. This can pro­vide valu­able infor­ma­tion as to what mar­ket threats oth­ers are see­ing, exchange con­tacts with ser­vice providers and real­ly just pro­vide a resource for busi­ness own­ers to lean on for advice. Remem­ber, you are like­ly not the first per­son to face what­ev­er busi­ness obsta­cle you are strug­gling with.

More sto­ries relat­ed to SMB secu­ri­ty:
Look to human nature for con­tin­ued suc­cess of phish­ing attacks
More SMBs let their guard down on cyber­se­cu­ri­ty
SMBs just as vul­ner­a­ble to cyber attacks as big orga­ni­za­tions


Posted in Cybersecurity, Featured Story