By nature, the most high-profile hacks in the last couple of years have been on big companies such as Target, United Airlines, WSJ.com, JP Morgan and Sony.
However, in digesting coverage of these large enterprise hacks, small business owners could be forgiven for assuming that they are somehow immune to attack. But they’d be very wrong.
Did you know, for example, that the Target hack was traced back to a smaller, third party maintenance firm that worked in Target’s buildings? The practice of using small business to infiltrate big businesses is a growing trend – and something we will be investigating in more depth this year – but for the time being, this is just one example of an unlikely, smaller business becoming a highly viable target.
There continues to be a prevailing misconception that data held within smaller businesses is somehow unimportant for hackers to target. What the holders of this misconception fail to consider, however, is that small businesses gather and hold exactly the same types of data as their larger counterparts, i.e. customer data, employee data, financial data, intellectual property – equally of value to a hacker, and made even more attractive by the fact that their data is perhaps easier to access, because they have less in-house IT expertise and smaller budgets for data protection and IT management.
So how can small businesses effectively plug the holes in their organisation to minimise the danger of exposing their data? And what efforts are they taking to do so?
IT spending, but not IT securing
SME spending on IT security continues to be hugely variable – changing markedly from country to country. In the UK, for instance, recent government figures suggest SMEs with 100 or more employees spend about £10,000 per year, while the smallest firms spend as little as £200.
And such comparatively low figures are not hard to understand. Most businesses of this size need to primarily focus their investment on improving core activities, such as serving their clients, finding new business and keeping on top of the necessary admin – with computer security often proving to be an afterthought.
Though they might not be spending on IT security, the same cannot be said for IT in general however, and this mismatch is where much of the vulnerability lies.
As the industry pushes to become more mobile-centric – recognising the clear benefits it offers in terms of productivity, cost reduction, employee satisfaction, and more – demands for mobility solutions are set to continue to increase in 2015. In fact, the SMB Group’s 2014 SMB Mobile Solutions Study showed that year-over-year, spending on mobile solutions as a percentage of total technology spending has risen 10 per cent per year among very small businesses, and 7 per cent among small businesses.
But while we are seeing increasing implementation of mobile solutions, a large number of small businesses still do not have the corresponding security technology, corporate policies and training in place to ensure employees are aware of, and protected from, the risks their mobile behaviours can create.
Unfortunately for employers, there is considerable evidence to suggest that employees’ mobile behaviour leaves a lot to be desired, and is, in fact, rather cavalier in relation to security. For example, recent research by AVG partner, Centrify, found that one-in-three users neglects to secure their devices, and that many of those who do, use basic, easy-to-guess passwords that put their employers’ data at risk.
It’s a very real problem – for example, in the UK, data breaches can cost smaller firms anywhere between £65,000 and £115,000, with the worst hit suffering up to six breaches per year. Added to this, is the fact that hackers are becoming increasingly sophisticated in their approach, using social engineering techniques to trick employees into opening realistic-looking, but fraudulent emails; or using fake or re-directed websites.
Until now, a common step for any smaller business worried enough about data leakage to take action, has been to invest in Mobile Device Management. This works by ensuring all employee mobile devices are centrally authorised and asks employees to accept a raft of IT-defined policies before they can access company resources and data. In exchange, IT administrators receive the privileges needed to perform security procedures, such as issue remote ‘locate, lock and wipe’ commands or check whether specific devices, networks and VPNs are company-approved.
There are risks with MDM, however; for example, some employees may feel hindered and end up seeking workarounds.
An alternative solution that provides for both employee mobility and productivity via BYOD, as well as stringent security, is secure single sign-on technology (SSO) with two-factor authentication. This enables IT providers to deploy secure, mobile access and multi-factor authentication for their small business customers as a simple, cloud-based service that extends usability, security and compliance across all their mobile devices, plus their traditional Windows and OSX laptops.
This approach helps a small business owner, IT manager or an IT contractor to ensure company confidential data stays secure, private and within their control, even while it is shared with employee-owned mobile devices and externally hosted cloud services.
For those small business owners who are not ready to integrate a full IT solution such as secure single sign-on, there are still a number of best practices you can put in place to kick start their businesses’ data protection:
- Educate your staff via in-person training sessions and by providing regularly updated resources on the threats landscape
- Always make sure your customer data is stored in an encrypted database
- Require multiple levels of passwords to access any database storing customer information; and change these passwords frequently
- Regularly run background checks on employees handling customer data
- Make sure to have malware detection software running on both your servers (hosted or not) and workstations and that it, and your operating systems, are regularly patched and updated
- Review and implement the standard network security health check controls
- Make sure your Crisis Management or Disaster Plan (which you should also have) includes a data breach plan
If you don’t have a qualified person on staff to keep up with these defenses, it may be time to consider using a professional IT Service Provider for help.
The time to act is now
With the volume and scope of small business security threats on the rise, SMEs simply cannot afford to wait and risk becoming the next breach we read about in the morning papers.
Aside from the monetary losses from such a breach, the damage to reputation could be incalculable, severely impacting a business’s reputation and credibility, and eroding the hard-won trust of their clients and customers.
Mike Foreman, General Manager of AVG Business