Lax on security, many SMBs ripe for the picking by cyber criminals

Enterprises need to understand protection basics or be vulnerable to costly attacks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Enter­pris­es are cyber crime tar­gets, and, as a result, big-com­pa­ny IT is always “look­ing over their shoul­der.” How­ev­er, hack­ing is mov­ing down mar­ket, and small- and medi­um-size busi­ness­es (SMBs) are now tar­gets as well.

Ed note_Alertsec_Ebba BlitzThe ram­i­fi­ca­tions are seri­ous. For exam­ple, if an accountant’s unen­crypt­ed lap­top were lost or stolen, tax returns, Social Secu­ri­ty num­bers and pri­vate infor­ma­tion could be com­pro­mised, with dis­as­trous consequences.

Relat­ed video: Cloud enabled encryp­tion ser­vices emerge

Because many small firms don’t under­stand how to tack­le secu­ri­ty, cyber crim­i­nals exploit their lack of sophis­ti­ca­tion. Cost and com­plex­i­ty are bar­ri­ers, and risk is mag­ni­fied because even one secu­ri­ty inci­dent can kill an organization.

So how can SMBs answer this threat? A start­ing point is under­stand­ing encryption—a foun­da­tion­al ele­ment of cyber­se­cu­ri­ty. While sophis­ti­cat­ed in use, encryp­tion is a sim­ple con­cept. As kids, we played with cryp­tograms: Every let­ter in the alpha­bet was exchanged for anoth­er, requir­ing a key to deter­mine what was writ­ten. Com­put­er encryp­tion is essen­tial­ly the same, but with a more com­pli­cat­ed key struc­ture con­tain­ing bina­ry dig­its that make the infor­ma­tion use­less with­out the cor­rect key.

To get a bet­ter under­stand­ing of areas of risk, an SMB should con­duct a secu­ri­ty assess­ment. Impor­tant­ly, health care and finance com­pa­nies need to under­stand require­ments imposed by the Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act (HIPAA) and the Sar­banes-Oxley (SOX) Act to meet indus­try­wide and gov­ern­ment require­ments for data man­age­ment, includ­ing stor­age, archiv­ing, encryp­tion and retrieval.

SMBs also must under­stand where sen­si­tive data lies and how it is pro­tect­ed in the process of doing busi­ness. This means tak­ing a holis­tic view of tech­nol­o­gy, cre­at­ing an encryp­tion strat­e­gy for all data—whether stored on a serv­er or on “end­points” like office com­put­ers, lap­tops, mobile devices or USB drives.

The Bring Your Own Device (BYOD) trend must be addressed by the assess­ment and even­tu­al secu­ri­ty plan. The strat­e­gy also must account for secu­ri­ty of data in tran­sit, includ­ing pro­vid­ing for the use of fire­walls and vir­tu­al pri­vate net­works (VPNs).

As do enter­pris­es, SMBs must devel­op plans that man­date mul­ti­fac­tor authen­ti­ca­tion for access to crit­i­cal sys­tems and data. Addi­tion­al­ly, human fac­tors should be addressed. Train­ing is crit­i­cal, and per­son­nel must be taught to check and ver­i­fy before pro­vid­ing access to data. The risk from human error is all too real.

SMBs can exe­cute secu­ri­ty assess­ments that lead to a robust and com­pli­ant secu­ri­ty plan. Once an assess­ment is com­plete, a short list of solu­tions providers that meet both tech­no­log­i­cal and busi­ness needs can be eas­i­ly cre­at­ed, giv­ing SMBs a faster path to security.

More sto­ries about secu­ri­ty for small- and medi­um-size businesses:
SMBs must under­stand and counter new dig­i­tal risks
More SMBs let their guard down on cybersecurity
As work­ers move out of the office, busi­ness secu­ri­ty risks multiply