Today’s small and midsize businesses face risks and challenges daily. When it comes to I.T. risk many studies have shown that smaller businesses don’t believe that Cyber Criminals will target them. A report on 1,015 U.S. SMBs by the National Cyber Security Alliance and Symantec found that even though over 80 percent of SMB’s have no formal cybersecurity plan, more than 75% of the respondents believe that they and their companies are safe from cyberthreats such as hackers, ransomware, malware, and viruses. This sense of security is very misplaced.
Between 2008 and 2012 Symantec reported consistent double-digit year-over-year increases in attacks against businesses with fewer than 2,500 employees. In fact, of the 26,000 targeted attacks documented in 2011 over 4,600, or roughly 18%, were directed against businesses with fewer than 250 employees. In 2012 this trend increased to over 35%. Experts forecast that this trend will climb to 50% in 2013.
Clearly the cybercriminals are targeting small businesses. Many executives we engage with ask why. What would a cybercriminal possibly want with the information or resources of a typical SMB?
The most common answer: Money. Cybercriminals are using information gained from breaching SMB’s for Extortion, Intellectual Property theft, Identity Theft, Personal & Medical impersonation, and even outright ransom. One means that is being employed by cybercriminals is RansomWare. We have seen a documented rise of RansomWare both through our client basis and in the media in general.
Generally, small businesses are more prone to attack because they have fewer resources and security mechanisms in place than large enterprises. They have more valuable information and financial assets than home users and generally don’t have defenses in place for even the most common attacks. We have compiled the 5 most important tools that SMB’s need to establish a baseline defense against the most common and damaging attacks. Many of these tools can be deployed for very little cost and by companies that have limited IT know-how and resources.
- Firewall: Gone are the days that any-old firewall would make due. Today’s cyber threats are sophisticated and need more horsepower and know-how to be stopped. Enter the next generation firewall. These systems combine Threat Management, Firewall, and Intrusion Detection/Intrusion Prevention to stop bad guys in their tracks. They’re more effective than the legacy firewalls of the past and provide businesses with robust network-edge protection against a myriad of threats.
- Anti-X: In the 90’s we all learned about computer viruses. So, we made AntiVirus (AV) software to fight them. In the 00’s we were all introduced to Malware. We made Anti-Malware software to fight it. Once again the threat has evolved. Now we have targeted multivector software attacks that combine virus, malware, rootkit, key logger, and behavioral components to attack our computers and steal our information. To combat this a layered security approach is needed. Commonly a multivendor solution is used to provide anti-virus, anti-malware, anti-rootkit, and application-aware systems monitoring to protect against today’s super-bugs. There are hundreds of resources across the Internet promising the remedy to all of your Anti-X ailments. Like the old adage says “ Don’t believe everything you read on the Internet”. Doing some careful research and understanding how each product fits into your environment is an important first step. Several books exist on the subject. Including this one . Several free software systems exist however these are not often updated against the latest threats frequently. Choosing a product that protects you against “Zero Day” attacks and is updated on a daily basis is one key to success when it comes to Anti-X software.
- Policy: It seems like a self-fulfilling prophecy. If you have no policy then when a security event happens (and it is when, not if) you nor your staff will know what to do. There are numerous tools available to help you write a good security policy. If you would like a free baseline template, let us know , and we’ll send you one to start. Some other great resources include a great article on BrightHub , Several recommendations from Microsoft , and one of the most referenced articles on the subject by Inc. Magazine . Once you establish a policy, doing an assessment is highly recommended to establish your company’s baseline security posture. From there you can choose what shortcomings demand immediate attention and those that can be fixed over time.
- Internal Controls: Over 75% of all successful security incidents are launched and perpetrated from inside of a company. This staggering figure increases to 86% when you focus on businesses with fewer than 250 employees in non-regulated industries. While it is a common perception that security and functionality are inversely proportional some control must be exercised on those inside of a business. Completing simple (and free) steps to better protect and control your internal resources goes a long way. Ensure that your users must have a password to access their workstations. Require these passwords to be changed regularly (most networked computers can do this automatically for you). Control what users can access what data that is shared across the network. Ensure your firewall rules are not overly permissive, Place your server(s) in a locked room and carefully control who has access to that room. As many security consultants will tell you, “he who has physical access wins”. So make sure your sensitive technology and data storage equipment is protected. Once you feel that you have adequate controls in place, don’t stop there! Continue to regularly audit and assess what system settings and business procedures have changed internally to ensure you stay protected.
- Peer Support: Don’t go-it-alone. Businesses of all sizes have similar challenges with Information Security. There are many groups available to help you make informed decisions about security-related questions. Organizations like NAISG, the ISSA, and UNCC’s College of Computing and Informatics (CCI) all regularly host public meetings to spread the word and educate about Information Security. Many industry trade groups commonly host special events for their members to discuss Information Security with direct application to their members. In addition to these (and numerous similar high quality) organizations there are resources and literature available (most at no cost) from reputable sources like Microsoft, Cisco, Symantec, and Vmware that are specific to their products and how to better secure them. Studies have shown a 94% improvement in Information Security effectiveness in organizations that engaged qualified security professionals to help guide in the decision making process.
While this isn’t the complete and comprehensive set of tools every business needs it does provide a very creditable start. However, there are numerous areas where specific security measures are required for specific technologies. Specialized techniques for virtualized environments , centralized-computing/VDI environments , and highly distributed mobile workforces all require some special care to be taken to adequately secure the environment without crippling the user’s performance.