Lax on security, many SMBs ripe for the picking by cyber criminals
Enterprises need to understand protection basics or be vulnerable to costly attacks
By Ebba Blitz, Special to ThirdCertainty
Enterprises are cyber crime targets, and, as a result, big-company IT is always “looking over their shoulder.” However, hacking is moving down market, and small- and medium-size businesses (SMBs) are now targets as well.
The ramifications are serious. For example, if an accountant’s unencrypted laptop were lost or stolen, tax returns, Social Security numbers and private information could be compromised, with disastrous consequences.
Related video: Cloud enabled encryption services emerge
Because many small firms don’t understand how to tackle security, cyber criminals exploit their lack of sophistication. Cost and complexity are barriers, and risk is magnified because even one security incident can kill an organization.
So how can SMBs answer this threat? A starting point is understanding encryption—a foundational element of cybersecurity. While sophisticated in use, encryption is a simple concept. As kids, we played with cryptograms: Every letter in the alphabet was exchanged for another, requiring a key to determine what was written. Computer encryption is essentially the same, but with a more complicated key structure containing binary digits that make the information useless without the correct key.
To get a better understanding of areas of risk, an SMB should conduct a security assessment. Importantly, health care and finance companies need to understand requirements imposed by the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley (SOX) Act to meet industrywide and government requirements for data management, including storage, archiving, encryption and retrieval.
SMBs also must understand where sensitive data lies and how it is protected in the process of doing business. This means taking a holistic view of technology, creating an encryption strategy for all data—whether stored on a server or on “endpoints” like office computers, laptops, mobile devices or USB drives.
The Bring Your Own Device (BYOD) trend must be addressed by the assessment and eventual security plan. The strategy also must account for security of data in transit, including providing for the use of firewalls and virtual private networks (VPNs).
As do enterprises, SMBs must develop plans that mandate multifactor authentication for access to critical systems and data. Additionally, human factors should be addressed. Training is critical, and personnel must be taught to check and verify before providing access to data. The risk from human error is all too real.
SMBs can execute security assessments that lead to a robust and compliant security plan. Once an assessment is complete, a short list of solutions providers that meet both technological and business needs can be easily created, giving SMBs a faster path to security.
More stories about security for small- and medium-size businesses:
SMBs must understand and counter new digital risks
More SMBs let their guard down on cybersecurity
As workers move out of the office, business security risks multiply