Attacks/Breaches
7/21/2010
04:21 PM
50%
50%

Avoiding Accidental Data Leaks In Small Businesses

SMBs struggle to educate users, protect company data from unintentional breaches

In small and midsize businesses, the greatest data security risk might not be the educated hacker, but the uneducated end user.

About 42 percent of small and midsize companies have lost proprietary or confidential information, according to Symantec's SMB Information Protection Survey, which was published last month. Of the companies that lost data, 23 percent blamed insiders inadvertently losing data; another 14 percent of breaches were blamed on a broken business process.

In another survey released last year, Symantec researchers found that, of SMBs that suffered at least one breach, 44 percent blamed a lost device, nearly 40 percent blamed human error, and nearly 20 percent attributed the loss to outdated security procedures or inadequate employee training.

The problem, some experts say, is that small business employees are increasingly mixing personal and business technology. SMBs that are not prepared to deal with smartphones, social networks, and other emerging technologies will find their security suffers, says Alex Eckelberry, general manager of security firm GFI. Companies that employ the youngest generation of workers face this problem in spades, he says.

"In the past, companies made it clear that you are on their network and, if you do anything bad, you will be kicked off," Eckelberry says. "Today there are companies out there that say, 'Here's $2,000 -- go buy whatever you want, and the IT department will secure it."

To make matters worse, workers who employ these next-generation technologies are usually not educated in the online threats that could target an SMB, says Alex Hutton, principal on research and intelligence for the Verizon Business RISK team. A lack of training can lead to employees inadvertently giving the attacker a hand into the company's network, he says.

In its annual data breach report, Verizon Business found that insider errors were a factor in two-thirds of all breaches it investigated on behalf of clients.

"[The attacks] may be originating from the outside, but we [employees] are doing all we can to help them in,” Hutton says.

To take advantage of uneducated employees, online attacks against companies are becoming increasingly complex, says Ted DeZabala, national leader of the security and privacy services practice at Deloitte. In one case investigated by the firm, online attackers added employees a one midsize company's payroll and had the paychecks deposited into accounts it owned.

"This was going on for months and months," DeZabala says. "What we are seeing is that even companies that have very robust program -- and are diligent with patching and dealing with vulnerabilities -- are not equipped to deal with highly sophisticated malware that is spreading in the marketplace.”

Small and midsize businesses should educate employees about online threats, just as they do about physical threats, experts say.

"A huge part [of prevention] is awareness," Hutton says. "I used to do awareness programs in small banks, and the tellers are always nervous about physical threats, so [the banks] are never shy about spending money on physical security.”

Some SMBs might shy away from security tools and practices because of the cost, but technically savvy companies can prevent many leaks without spending a dime, experts say.

For example, most browsers now dynamically check links against a known list of bad sites, preventing accidental surfing to malicious destinations. A "clean" DNS service, such as OpenDNS, can also help employees avoid malicious sites. And companies can update their firewalls with block lists provided by one of the many free services that offer them, such as MalwareDomains.com, Eckelberry says.

Patching is also a critical element in protecting against unintentional data leaks, but companies shouldn't focus only on operating system patches, observers say. All applications -- especially ubiquitous ones, such as Adobe Acrobat and Flash -- need to patched as soon as possible.

"A lot of this stuff is free," Eckelberry says. "That's what makes it so painful that companies are not doing it."

SMBs should also watch their employees carefully, Deloitte's DeZabala says. While some companies attempt to ban social networks, these sites are becoming an important business tool -- it's better to monitor the users, he says. In smaller companies, monitoring can be as simple as managers friending their workers on social networks.

But be sure you can handle the data you're monitoring, DeZabala advises. "Monitoring is a double-edged sword," he says. "More monitoring means more data you have to collect and analyze -- and the more data you collect, the less chance that you will use it.”

Data-loss protection (DLP) systems and services can stop users from unintentionally disclosing information they should keep confidential, experts note. Such systems can monitor email and Web postings for confidential information, while programs designed to manage devices can often prevent inadvertent or malicious copying of data to USB devices.

Training employees to think about their online actions is another big part of the solution, experts say. Unified threat management (UTM) systems and layered defenses can help -- but even with depth and redundancy, they are not always going to work.

"If it is a targeted attack, that is going to be problematic," Hutton says. "The vast majority of malware is customized every day, and so signature-based solutions are of limited use."

Even antivirus vendors warn their solutions are not enough.

"A lot of people will buy one product and expect it to do everything -- and it doesn't," says GFI's Eckelberry, which recently bought security application maker Sunbelt Software. "In the past, you could rely on your AV product to catch everything, but it can't anymore. I have some of the coolest technology in the world, but I know what it is like out there. It will not catch everything."

Companies should secure employees against their own behavior just as a parent childproofs a house, Eckelberry says. "It may be a terrible analogy," he says, "but as an IT manager, you have to expect that users are gong to bumble around and break glass objects."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5426
Published: 2014-11-27
MatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote attackers to cause a denial of service (unhandled exception and DNP3 process crash) via a crafted message.

CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?