Mid-sized businesses operate differently than their larger counterparts and have unique security concerns. Addressing these concerns involves detailed conversations with business leaders about what technology needs to be in place to protect core digital assets. This is especially important as organizations migrate to the cloud in search of greater efficiencies.
Mid-market companies tend to run lean and may have a small or non-existent IT team, which makes the public cloud a great option. But in the rush to take advantage of cloud, they tend to focus on overcoming networking issues and scaling capabilities first, with security as an afterthought. And when they do think about security, it is usually in terms of who on the team has access. It is often assumed that security is the cloud provider’s responsibility, when in reality, it is a shared responsibility.
This leaves the door open for attackers. It’s not enough to know who your admins are once a breach occurs. Securing your data is critical, but, as you will see, it does not have to be complicated.
Mid-sized businesses tend to put most of their security eggs in the network-based solutions basket. These solutions are focused on preventative measures, when zero-day attacks—by definition—take advantage of unknown vulnerabilities.
Passwords—or any other form of shared-secret scheme used to authenticate people—remain a serious vulnerability, as well. Lists of hacked passwords are for sale on the dark web, phishing remains a successful method of obtaining users’ passwords and password-cracking tools are getting better and better.
The greatest vulnerability, though, is the idea that no bad actor would bother to breach you because your company is too small, unimportant or not valuable enough. Bigger is not always better to cybercriminals. Yes, bigger businesses tend to yield a bigger pay-off, but they also have stronger security programs than mid-sized companies. Attackers like low-hanging fruit just as much as the next guy.
Could you survive a breach?
According to the Ponemon Institute’s 2017 State of Cybersecurity in Small & Medium-Sized Businesses report, the average cost for middle market companies to clean up after being hacked is more than $1 million. In addition to clean-up and containment costs, there may be fines, depending on the industry and jurisdiction the company falls within. A mid-sized business may not have the funds to survive a breach.
The Ponemon report found that the most prevalent attacks against smaller businesses are ransomware, malware, phishing/social engineering and web-based threats. While firewalls and malware detection software are available inexpensively, they cannot protect data once the network has been breached.
Why you need encryption
When it comes to security, mid-market companies tend to think that encryption is something that only enterprises need. However, medium-sized companies are being increasingly targeted by cybercriminals for data. One study found that 53 per cent—just over half—of mid-market businesses suffered one or more breaches last year.
Security can have compliance implications, as well. Local law firms or small companies with medical records, for instance, have private data that needs strong data protection that meets industry compliance regulations.
Because encryption seems difficult and confusing, there is a tendency to ignore it or discount it as a viable security method for mid-sized companies. However, encryption is not as hard as it sounds.
At its most basic, encryption is a cryptographic system to encode data and files in such a way that only authorised users/devices can access it and those who are not authorised cannot. However, data encrypted at the network, web server, application server, database, app system or hard disk drive are vulnerable. Only encryption at the application layer is secure.
Why is this the case? If data is encrypted or decrypted in any part of the system—the hard disk drive, operating system, database, etc.—other than the business application using that data, significant residual risks remain despite the encryption. An attacker need only compromise a software layer above the encrypting layer to see unencrypted (plaintext) data. Since the application layer is the highest layer in the technology stack, this makes it the most logical place to protect sensitive data because it offers the attacker the smallest target. This also ensures that, once data leaves the application layer, it is protected no matter where it goes – and, conversely, it must come back to the application layer to be decrypted.
When data is encrypted, it becomes unreadable unless the person who accesses it has the appropriate key. How can you control access to those encryption keys? Authentication.
Why you need authentication
There are various kinds of authentication, such as two-factor authentication delivered via SMS, email, or biometric verification. The idea behind authentication is to make sure that a person or technology trying to gain access to data is actually that person or technology. In the case of gaining access to encryption keys, authentication that requires tokens or biometrics is the strongest option.
The FIDO Alliance has developed a protocol for strong authentication. By conforming to the latest FIDO Alliance standard, strong authentication leverages years of Public Key Infrastructure (PKI) cryptography expertise to verify the identity of users and devices to enable strict authorisation and access to encrypted data and files.
The FIDO protocols and authenticators on which they are based:
- Require a hardware-based authenticator, which is not susceptible to attacks from the internet as file-based credentials are
- Require the customer to prove their presence in front of the computer originating the purchase—with possession of the FIDO authenticator
- Are un-phishable—attackers cannot compromise the protocol’s cryptographic messages and use them to masquerade as the legitimate customer
- Are privacy-protecting—even with a stolen or lost authenticator, attackers cannot learn a customer’s identity and use it to compromise the customer’s account
A more secure future
Mid-market companies may think they are too small to warrant encryption, yet they are being attacked just as often, at least in part because their security strategy is less robust than that of large companies. Because the cost of breaches continues to rise, medium-sized businesses have a great deal to lose when a breach occurs. Implementing both encryption and authentication is a one-two security punch that provides peace of mind in a world of ongoing cybercrime. With encryption and authentication measures in place, mid-sized businesses can keep their data safe even if a breach occurs.
David Irwin, VP of engineering, StrongKey
Image Credit: Sergey Nivens / Shutterstock