By: Markus Witcomb
Home / IT Security
Comments: No Comments.
With the amount of media coverage that recent data breaches such as those experienced by the likes of eBay, Evernote and Domino’s Pizza quite rightly attract, you may be forgiven for thinking that cyber-crime is a big-business problem.
While there’s little doubt that with the potential for a profitable payout the bigger business is a more attractive target (and the Target retail compromise in the US is another good example), it would be foolish to think that as a small business you’re not on the radar.
Most cyber-attacks are actually oblivious to business size; the bad guys, and the automated bots they employ, are simply looking for security holes through which to climb.
Although it would be correct to say that there’s a certain amount of diverged evolution in attack methodology, with larger enterprises being on the end of the most sophisticated and targeted threats, it doesn’t mean the small business is any less at risk.
Opportunity is the name of the game, with attackers casting the widest possible net into which those smaller businesses with less understanding of the IT security threat-scape will find themselves. The combination of low understanding of risk and application of best practice serve to put the average small business firmly on the attack radar. Understand the top security threats to your business and you could become a less attractive target to the cyber-criminal.
Social engineering remains the number one threat to the security of data for most small businesses. Be that in the form of targeted trojans or spear-phishing, which aim at a specific member of staff, more general social-media profiling of your business to appear like a genuine customer, or blended attacks that combine all these attack methodologies. The good news is that all of them can be addressed in much the same way, and that’s via employee education.
Relying upon a combination of hardware and software alone will never be enough; you need to ensure that your staff aren’t simply opening the door to the bad guys and letting them walk off with your valuable data. Once staff are aware of both the value that data holds and the ways in which security can be compromised to access it, then they can mitigate the risk by simply changing their behaviour.
The smaller the business, the easier this is to achieve for one simple reason: they have fewer employees to train and maintaining that awareness is less costly.
Although growth of malware on the PC has remained pretty static over the past year, the same isn’t true of mobile devices: the malware graph for Android devices is shooting off the scale. The main problem this brings to the small business is transference of the threat.
Malware active on a mobile device will quickly find its way into your business systems unless steps are taken to prevent this. Obviously, it’s best not to get infected in the first place, so ensure staff avoid “unofficial” app stores and make installation of device-based security software part of a Bring Your Own Device (BYOD) policy.
And yes, even the smallest business should have some kind of BYOD policy. To not have one blurs the boundaries between personal and work data, and is a data compromise waiting to happen. Equally important: ensure your business network is protected by up-to-date intrusion-detection and anti-malware solutions. And finally, always encrypt work data stored on mobile devices in case of loss or theft.
The cloud isn’t inherently insecure, but you do need to think carefully about what data you’re storing in it and how that data is protected.
Especially if you’re using free “public” cloud services that remain very popular in the smaller end of the business spectrum, since these public clouds are also popular with the bad guys. If you choose to store data in this way, ensure you encrypt it beforehand so as to protect it in transit and thereafter.
More problematical is when staff are using cloud-based services to make their job simpler or more convenient, be that as a webmail provider, data store or note-taker.
Anything off the business radar presents a potential risk (what if the third party is compromised, for example: you wouldn’t see that as a risk to your data since you’d be unaware of staff using it in this way) so educate employees about the security implications of using such services.
I shouldn’t really need to tell you that weak passwords are a problem, nor that the use of Post-it notes to recall stronger ones is also a bad idea.
However, despite the availability of free and low-cost password vaults – which not only help create and manage passwords and passphrases but prevent easy theft as well – many small businesses still opt for the insecure option.
So, use a password vault; and better still, add another layer of protection by using two-factor authentication, which requires both a login/password and a token. These needn’t be expensive to obtain and maintain, even for the smallest of businesses. Needless to say, logins should always be revoked when a staff member leaves the business.
Big companies are well aware of the physical threat, but it’s often quite shocking how many small businesses forget about this particular aspect of data security.
Cyber-criminals will just as happily steal your laptops and PCs to access the data upon them if access to your offices and the hardware itself isn’t secure. Keeping doors and windows locked when premises are empty, hardware securely locked away and the use of combined alarms and CCTV will all help to deter crooks looking for an easy data haul.
And don’t forget your rubbish either. As a rookie hacker more than twenty years ago now, I found most of the information I needed to “explore” networks by dumpster diving. In other words, I raided dustbins and skips outside offices and uncovered network data, passwords and information helpful in circumventing access controls. Dumpster diving is alive and well today, so ensure you shred all paperwork before disposing of it.
The truth is that the simplest of changes can have a dramatic effect as far as strengthening your security posture is concerned – and without having any significant impact upon your bottom line. So what are you waiting for?