SMBs must understand and counter new digital risks

Organizations can protect sensitive data by following proper security policies, procedures

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Owners of small and midsize businesses routinely take into account the risk of a fire burning down the building, or a customer or employee getting hurt on company property.

But what about exposure to botnets, data thieves, cyber scammers, hacktivists and disgruntled insiders?

Data is the new currency, and because SMBs now routinely collect, store and access sensitive and valuable data across company networks, and, increasingly, via the Internet of Things, a new tier of business risks has taken shape.

Rich Blumberg, IDT911 director of data breach response
Rich Blumberg, IDT911 director of data breach response

ThirdCertainty asked Rich Blumberg, director of data breach response at IDT911, to supply context for the notion that SMBs need to examine and fully understand these new digital risks. Full disclosure, IDT911 sponsors ThirdCertainty.

3C: What do you tell SMB owners who believe they are too small for hackers to bother with?

Blumberg: No one is too small to be hacked. Hackers know SMB data security standards are often a bit lower and, in general, are not as sophisticated as larger institutions. So while it’s true that SMBs generally do not have terabytes of personally identifiable information, there are some that do have large quantities of data because of the work they perform or the amount of time data is stored on their systems.

3C: What is the baseline set of security systems all SMBs should have?

Blumberg: Several simple security steps can help SMBs guard against many of the basic data breaches that occur today. Encryption used to be a big, expensive-sounding word reserved only for those companies with deep pockets. Nowadays, almost all companies can take advantage of encryption methods, which range from basic hard drive encryption to fully encrypted networks with advanced PII scanning. Antivirus software has been on the market for many years, and several versions are free so there is no reason not to use this basic security function.

Another security tool is the use of a virtual private network. VPNs extend a private network (your company’s systems) across a public network (internet) to your personal or business device. This is great for employees who work remotely or travel often. But be careful—do your research to ensure the VPN software you use is up to snuff. Some free VPN software is not very secure.

3C: How important is cyber incidence response planning?

Blumberg: This is the most critical step a company can take to ensure they are prepared for the worst. I’ve seen many companies completely unprepared for a data breach incident. Because of this, they spent many valuable hours (or days) scrambling around negotiating contracts with service providers like forensics, outside counsel and breach response providers like IDT911 during the most crucial time of the incident. Instead, if they had an incident response plan in place, they could focus on the actual response steps and ultimately get to the bottom of what occurred.

3C: How vital is employee training?

Related infographic: Spear phishers take aim at CEOs

Blumberg: Many of today’s data breaches are the result of a lack of employee training. You may have heard the term “phishing.” This is where a thief attempts to acquire usernames, passwords, credit card numbers, HR records and other sensitive information by sending an email to office personnel. The email looks like it is coming from a trustworthy source, say, your manager or a C-level executive. After clicking on a link, opening an attachment or even responding to the email, the crook installs malware on your computer and infects your system. Employee training is a simple tool to aid in combating this threat. There are many learning management systems that companies can deploy easily to employees to train, test and track progress for compliance purposes.

3C: What should SMBs understand about third-party risks?

Blumberg: SMBs need to understand who they are doing business with, what security controls the third party has in place with regard to personal or business data, and the contractual requirements often forced on small businesses as it relates to security controls, breach notification requirements and indemnification.

3C: Anything else?

Blumberg: Networking with other SMBs can be very helpful. This can provide valuable information as to what market threats others are seeing, exchange contacts with service providers and really just provide a resource for business owners to lean on for advice. Remember, you are likely not the first person to face whatever business obstacle you are struggling with.

More stories related to SMB security:
Look to human nature for continued success of phishing attacks
More SMBs let their guard down on cybersecurity
SMBs just as vulnerable to cyber attacks as big organizations