All companies must make efforts to minimize cybersecurity risk, but for small to medium sized businesses it is critical. The very survival of the business may well depend on it.
Small to medium-sized businesses must minimize cybersecurity risk
The same types of data are stored by SMBs as multi-national corporations; it is just the volume of data that differs. Just because a smaller volume of data is stored, it doesn’t mean that SMBs are not targeted by cybercriminals. In fact, many hackers choose to attack SMBs because the security defenses employed are not nearly so robust.
Large corporations can invest millions in cybersecurity defenses. SMBs do not have nearly so much cash to devote to protecting their networks from attack. They also do not have very much capital to cover the cost of a data breach when it occurs. A large corporation can easily absorb the cost of a data breach. Take Anthem Inc., for example. The health insurance company suffered the largest healthcare data breach ever reported. The breach had started many months previously but was discovered in February of this year.
78.8 million records were obtained by the hackers responsible for the attack. The cost of dealing with that data breach has been estimated to be somewhere in the region of $100 million to $1 billion. No small business could survive such a breach. Of course, Anthem was covered by an insurance policy which should cover the first 100 million. The company also made $17.02 billion profit in 2014. Even if the cost of resolution is $1 billion it will barely be felt.
In 2010, a study conducted by the Gartner Group indicated that major data breaches resulted in the immediate collapse of 43% of small to medium-sized businesses. Some managed to soldier on for up to 2 years before folding. Only 49% of companies lasted for more than 2 years.
Cyberattacks on SMBs are increasing
There are a number of reasons why SMBs are now being targeted. It is not only a lack of effort made to minimize cybersecurity risk.
- SMBs can’t afford to investigate attacks and find out the identities of the attackers
- They don’t have the budgets to prosecute hackers if they do find them
- Cybersecurity defenses lack the sophistication necessary to thwart many attacks
- Staff training does not tend to be so extensive
- SMBs can’t afford to employ the very best IT security professionals
- SMBs often work as suppliers to large corporations and their networks can serve as a launch pad for an attack on those corporations
The cybersecurity attack on Target is a good example of the latter. An HVAC vendor was attacked with the purpose of gaining access to Target’s network.
It is not all bad news
Most SMBs have the fundamentals right. They have good cybersecurity defenses in place. They just need a little improvement. Fortunately, it does not take much more effort or resources to raise the standard and significantly improve defenses against cyberattacks.
Adopting some simple “best practices” is all that is required to reduce the probability of a cyberattack being successful in many cases. It is possible to minimize cybersecurity risk to the point that the majority of online criminals will give up and search for easier targets.
Best practices to adopt to minimize cybersecurity risk
Listed below are some easy to implement best practices that can help minimize cybersecurity risk and keep networks and sensitive data protected from malicious insiders and outsiders.
Separation of duties
You would not give a cashier a copy of the safe key, or give a purchaser the ability to sign off orders and write checks for suppliers. If you give one individual access to everything, you are exposing your company to an unnecessary amount of risk. That individual may be 100% trustworthy, but if that person is targeted by a spear phishing campaign, and they have access to all computer systems, should that attack prove successful everything could be lost.
Administrative privileges should be limited. Spilt passwords so an IT support worker enters half of a password, with the remaining half entered by his or her manager.
The rule of least privilege
Access to systems and data should be restricted to the minimum necessary information to allow a job to be performed. Rather than give full control to one person, separate duties between staff members and you will minimize network and cybersecurity risk
Do not allow multiple staff members to have access to systems that they don’t really need access to. If you operate two shifts, restrict access to data systems to two members of staff, one for each shift. One or two supervisors can also be given access on the same basis.
Due Diligence and Due Care
A minimum level of protection should be maintained at all times, and the level of due care must meet industry regulations. A program of maintenance must exist to ensure that due care is supported. This is referred to as due diligence. You must ensure that a system exists to monitor for any abuse of privileges or data access rights, and the opportunity for individuals to commit fraud or steal data must be kept to a minimum level.
Implement physical controls to protect equipment used to store data
All equipment used to store sensitive data must be kept under lock and key. Data backups must be secured, and since they are stored offsite, they should be encrypted.
Perform background checks on all members of staff
Any organization that fails to conduct a background check on a new member of staff before access to sensitive data is provided could be classed as negligence. You can’t tell from looking and asking if a new recruit has a criminal record.
Rotate responsibilities
Cross-train staff so they are capable of performing a number of different duties. This will allow you to provide cover in the event of absence from work. If you then rotate duties, it is easier to identify employee theft and insider attacks. Employees can then audit the work of each other.
Maintain access logs
If you do not monitor data access attempts, you will not be able to tell if a member of staff is trying to steal data. Make sure a data trail is left to allow you to determine when employees are accessing data. Make sure the logs are checked frequently and always follow up on any discrepancies discovered.
If you follow these best practices, you should be able to minimize cybersecurity risk effectively. You may not be able to prevent all cyberattacks, but if one does occur, you will at least be able to identify it rapidly and minimize the damage caused.
