There is a common misconception that cyber criminals and hacktivists only target large enterprises to reap a bumper. The reality is actually very different, recently published surveys reveal that
- 84% of Small and Medium Businesses had a security breach in the last year
- 48% of them suffered staff related (internal employees) breaches
What is evident from these reports are that SMEs are spending less time on assessing and understanding their security risks, and less time and money on undertaking and evolving IT security-related awareness training for their workforce.
(Read more: CISO Guide for Denial-of-Service (DoS) Security)
Cyber threats for SMEs
The concern for Cyber threat is rational and understandable. Importance of information security is growing year by year, as we see continuous growth of digital business opportunities and in-house processes rely more and more on advanced information technology.
Today’s challenges are exacerbated by a changing landscape, with the introduction of cloud, SAAS (software-as-a-service), increase in wireless and unmanaged devices and more and more usage of mobile devices. SMEs face a hostile world of scam e-mails, online malware, identity scams, misuse of company files on employee's own devices, insecure wireless networks, etc. As per the latest Microsoft’s Security Intelligence Report computers which do not have anti-virus software are likely to be infected with malware by almost 5.5 times.
SMEs are exposed because either they lack full-time IT security staff and/or can't track the security landscape.
(Read more: Magic, Hacking and Kevin Mitnick)
Understanding of a few basics can help SMEs to improve their IT Security Defenses
These few basic things would help SMEs to improve their level of information security defense and minimize the risks.
- Understand that IT security is not a destination but a process. No company can ever reach the final goal of "security", where nothing needs to be done anymore. There needs to be a right balance between security, convenience and cost. Each company should have atleast one assigned person for constantly checking, planning and developing the level of information security in the company.
- User education and awareness. Security is more than just technology. Security concerns not just about software or hardware, but also the behavior of individuals. Sometimes, company’s employees could be one of the biggest security threats. Secure technologies can become toothless unless people are made aware of the importance of security. Hence there is a need for staff training and guidance on basic security issues.
- Information risk management - Understanding risks and identifying appropriate countermeasures. Things should be started by assessing the current situation. What business information should be protected? What are the risks of current procedures? Are all devices protected with up-to-date antivirus programs and firewalls? Is VPN enabled? Is the overall protection provided by the solutions comprehensive? If necessary, use external consulting. Based on the assessment it is known where there is room for improvement.
- It is also important to find out what is the business critical information and where is it stored? Data concerning customers, company's finances, business partners and business processes is almost always critical. Who has access to this information? Are backups made on a regular basis? If the backup needs to be restored, who will do it? How will this be done?
- Clear roles need to be defined for employees. How should they personally contribute to data security in the company? This guidance refers to the right kinds of passwords, how to handle devices containing confidential information at home and in other locations outside the workplace, etc.
- Clear cut password policy and all services must be used with strong passwords and strict policies on change of passwords at frequent intervals. If possible, use even stronger forms such as passphrases. Passwords are proven to be quite weak and easily breakable.
- Security should not be compromised when old employees or consultants leave the organization. Ensure that the existing HR practices include the removal and changing of former employees/consultants user accounts (phones, email, network passwords, etc.).
- Home and mobile working - having policies and technologies in place to cater for remote working, making sure mobile devices are secure. All devices containing sensitive company information must have security apps. Only verified and safe applications should be installed on smart phones. Organizations should also consider the use of remote device management features wherein remote administration allows you to quickly erase sensitive information on stolen or misplaced device.
- Losing company-owned device is a big problem, especially if it has confidential information stored on it. Make sure that all devices including sensitive data (flash drives, etc.) are listed and their use and disposal is done following industry best security practices.
- Incident management - understanding how to react following a security breach. There should be an Incident management process and emergency response team to quickly response to attacks or serious breaches.
- Monitoring – A well thought out monitoring system, regular scanning and testing of networks, servers, databases, web applications and other IT infrastructure can minimize the risks and improve the security landscape of the Information assets.
(Read more: APT Secrets that Vendors Don't Tell)
Doing it the Right way
By following the security best practices small and medium size businesses will be in a good position to ward off malicious attacks and minimize business risks. It’s all about identifying the potential risks and then ensuring the appropriate policies and technical solutions are in place to combat such threats.
Adhering to well thought out security polices will go a long way to protecting the critical business data – for instance it’s estimated that 75% or more of successful attacks could be prevented by simple security best practices. The simplest steps such as ensuring staff do not open suspicious-looking or unknown source emails or even making sure sensitive data is encrypted can be some of the best practices.
The important thing to understand is that it’s really all or nothing. Failing to get just one of the steps right and leaving a big gap for the hackers can undo all the good work.
More: Want to be an author? Nominations open for co-authors of CISO Handbook