Attacks/Breaches
7/21/2010
04:21 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Avoiding Accidental Data Leaks In Small Businesses

SMBs struggle to educate users, protect company data from unintentional breaches

In small and midsize businesses, the greatest data security risk might not be the educated hacker, but the uneducated end user.

About 42 percent of small and midsize companies have lost proprietary or confidential information, according to Symantec's SMB Information Protection Survey, which was published last month. Of the companies that lost data, 23 percent blamed insiders inadvertently losing data; another 14 percent of breaches were blamed on a broken business process.

In another survey released last year, Symantec researchers found that, of SMBs that suffered at least one breach, 44 percent blamed a lost device, nearly 40 percent blamed human error, and nearly 20 percent attributed the loss to outdated security procedures or inadequate employee training.

The problem, some experts say, is that small business employees are increasingly mixing personal and business technology. SMBs that are not prepared to deal with smartphones, social networks, and other emerging technologies will find their security suffers, says Alex Eckelberry, general manager of security firm GFI. Companies that employ the youngest generation of workers face this problem in spades, he says.

"In the past, companies made it clear that you are on their network and, if you do anything bad, you will be kicked off," Eckelberry says. "Today there are companies out there that say, 'Here's $2,000 -- go buy whatever you want, and the IT department will secure it."

To make matters worse, workers who employ these next-generation technologies are usually not educated in the online threats that could target an SMB, says Alex Hutton, principal on research and intelligence for the Verizon Business RISK team. A lack of training can lead to employees inadvertently giving the attacker a hand into the company's network, he says.

In its annual data breach report, Verizon Business found that insider errors were a factor in two-thirds of all breaches it investigated on behalf of clients.

"[The attacks] may be originating from the outside, but we [employees] are doing all we can to help them in,” Hutton says.

To take advantage of uneducated employees, online attacks against companies are becoming increasingly complex, says Ted DeZabala, national leader of the security and privacy services practice at Deloitte. In one case investigated by the firm, online attackers added employees a one midsize company's payroll and had the paychecks deposited into accounts it owned.

"This was going on for months and months," DeZabala says. "What we are seeing is that even companies that have very robust program -- and are diligent with patching and dealing with vulnerabilities -- are not equipped to deal with highly sophisticated malware that is spreading in the marketplace.”

Small and midsize businesses should educate employees about online threats, just as they do about physical threats, experts say.

"A huge part [of prevention] is awareness," Hutton says. "I used to do awareness programs in small banks, and the tellers are always nervous about physical threats, so [the banks] are never shy about spending money on physical security.”

Some SMBs might shy away from security tools and practices because of the cost, but technically savvy companies can prevent many leaks without spending a dime, experts say.

For example, most browsers now dynamically check links against a known list of bad sites, preventing accidental surfing to malicious destinations. A "clean" DNS service, such as OpenDNS, can also help employees avoid malicious sites. And companies can update their firewalls with block lists provided by one of the many free services that offer them, such as MalwareDomains.com, Eckelberry says.

Patching is also a critical element in protecting against unintentional data leaks, but companies shouldn't focus only on operating system patches, observers say. All applications -- especially ubiquitous ones, such as Adobe Acrobat and Flash -- need to patched as soon as possible.

"A lot of this stuff is free," Eckelberry says. "That's what makes it so painful that companies are not doing it."

SMBs should also watch their employees carefully, Deloitte's DeZabala says. While some companies attempt to ban social networks, these sites are becoming an important business tool -- it's better to monitor the users, he says. In smaller companies, monitoring can be as simple as managers friending their workers on social networks.

But be sure you can handle the data you're monitoring, DeZabala advises. "Monitoring is a double-edged sword," he says. "More monitoring means more data you have to collect and analyze -- and the more data you collect, the less chance that you will use it.”

Data-loss protection (DLP) systems and services can stop users from unintentionally disclosing information they should keep confidential, experts note. Such systems can monitor email and Web postings for confidential information, while programs designed to manage devices can often prevent inadvertent or malicious copying of data to USB devices.

Training employees to think about their online actions is another big part of the solution, experts say. Unified threat management (UTM) systems and layered defenses can help -- but even with depth and redundancy, they are not always going to work.

"If it is a targeted attack, that is going to be problematic," Hutton says. "The vast majority of malware is customized every day, and so signature-based solutions are of limited use."

Even antivirus vendors warn their solutions are not enough.

"A lot of people will buy one product and expect it to do everything -- and it doesn't," says GFI's Eckelberry, which recently bought security application maker Sunbelt Software. "In the past, you could rely on your AV product to catch everything, but it can't anymore. I have some of the coolest technology in the world, but I know what it is like out there. It will not catch everything."

Companies should secure employees against their own behavior just as a parent childproofs a house, Eckelberry says. "It may be a terrible analogy," he says, "but as an IT manager, you have to expect that users are gong to bumble around and break glass objects."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5704
Published: 2014-04-15
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

CVE-2013-5705
Published: 2014-04-15
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

CVE-2014-0341
Published: 2014-04-15
Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to ob...

CVE-2014-0342
Published: 2014-04-15
Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

CVE-2014-0348
Published: 2014-04-15
The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding...

Best of the Web