04:21 PM
Connect Directly

Avoiding Accidental Data Leaks In Small Businesses

SMBs struggle to educate users, protect company data from unintentional breaches

In small and midsize businesses, the greatest data security risk might not be the educated hacker, but the uneducated end user.

About 42 percent of small and midsize companies have lost proprietary or confidential information, according to Symantec's SMB Information Protection Survey, which was published last month. Of the companies that lost data, 23 percent blamed insiders inadvertently losing data; another 14 percent of breaches were blamed on a broken business process.

In another survey released last year, Symantec researchers found that, of SMBs that suffered at least one breach, 44 percent blamed a lost device, nearly 40 percent blamed human error, and nearly 20 percent attributed the loss to outdated security procedures or inadequate employee training.

The problem, some experts say, is that small business employees are increasingly mixing personal and business technology. SMBs that are not prepared to deal with smartphones, social networks, and other emerging technologies will find their security suffers, says Alex Eckelberry, general manager of security firm GFI. Companies that employ the youngest generation of workers face this problem in spades, he says.

"In the past, companies made it clear that you are on their network and, if you do anything bad, you will be kicked off," Eckelberry says. "Today there are companies out there that say, 'Here's $2,000 -- go buy whatever you want, and the IT department will secure it."

To make matters worse, workers who employ these next-generation technologies are usually not educated in the online threats that could target an SMB, says Alex Hutton, principal on research and intelligence for the Verizon Business RISK team. A lack of training can lead to employees inadvertently giving the attacker a hand into the company's network, he says.

In its annual data breach report, Verizon Business found that insider errors were a factor in two-thirds of all breaches it investigated on behalf of clients.

"[The attacks] may be originating from the outside, but we [employees] are doing all we can to help them in,” Hutton says.

To take advantage of uneducated employees, online attacks against companies are becoming increasingly complex, says Ted DeZabala, national leader of the security and privacy services practice at Deloitte. In one case investigated by the firm, online attackers added employees a one midsize company's payroll and had the paychecks deposited into accounts it owned.

"This was going on for months and months," DeZabala says. "What we are seeing is that even companies that have very robust program -- and are diligent with patching and dealing with vulnerabilities -- are not equipped to deal with highly sophisticated malware that is spreading in the marketplace.”

Small and midsize businesses should educate employees about online threats, just as they do about physical threats, experts say.

"A huge part [of prevention] is awareness," Hutton says. "I used to do awareness programs in small banks, and the tellers are always nervous about physical threats, so [the banks] are never shy about spending money on physical security.”

Some SMBs might shy away from security tools and practices because of the cost, but technically savvy companies can prevent many leaks without spending a dime, experts say.

For example, most browsers now dynamically check links against a known list of bad sites, preventing accidental surfing to malicious destinations. A "clean" DNS service, such as OpenDNS, can also help employees avoid malicious sites. And companies can update their firewalls with block lists provided by one of the many free services that offer them, such as, Eckelberry says.

Patching is also a critical element in protecting against unintentional data leaks, but companies shouldn't focus only on operating system patches, observers say. All applications -- especially ubiquitous ones, such as Adobe Acrobat and Flash -- need to patched as soon as possible.

"A lot of this stuff is free," Eckelberry says. "That's what makes it so painful that companies are not doing it."

SMBs should also watch their employees carefully, Deloitte's DeZabala says. While some companies attempt to ban social networks, these sites are becoming an important business tool -- it's better to monitor the users, he says. In smaller companies, monitoring can be as simple as managers friending their workers on social networks.

But be sure you can handle the data you're monitoring, DeZabala advises. "Monitoring is a double-edged sword," he says. "More monitoring means more data you have to collect and analyze -- and the more data you collect, the less chance that you will use it.”

Data-loss protection (DLP) systems and services can stop users from unintentionally disclosing information they should keep confidential, experts note. Such systems can monitor email and Web postings for confidential information, while programs designed to manage devices can often prevent inadvertent or malicious copying of data to USB devices.

Training employees to think about their online actions is another big part of the solution, experts say. Unified threat management (UTM) systems and layered defenses can help -- but even with depth and redundancy, they are not always going to work.

"If it is a targeted attack, that is going to be problematic," Hutton says. "The vast majority of malware is customized every day, and so signature-based solutions are of limited use."

Even antivirus vendors warn their solutions are not enough.

"A lot of people will buy one product and expect it to do everything -- and it doesn't," says GFI's Eckelberry, which recently bought security application maker Sunbelt Software. "In the past, you could rely on your AV product to catch everything, but it can't anymore. I have some of the coolest technology in the world, but I know what it is like out there. It will not catch everything."

Companies should secure employees against their own behavior just as a parent childproofs a house, Eckelberry says. "It may be a terrible analogy," he says, "but as an IT manager, you have to expect that users are gong to bumble around and break glass objects."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM reports interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90589.

Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Dialed Number Analyzer interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCup92550.

Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM admin interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90582.

Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Service interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90597.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.