04:21 PM
Connect Directly

Avoiding Accidental Data Leaks In Small Businesses

SMBs struggle to educate users, protect company data from unintentional breaches

In small and midsize businesses, the greatest data security risk might not be the educated hacker, but the uneducated end user.

About 42 percent of small and midsize companies have lost proprietary or confidential information, according to Symantec's SMB Information Protection Survey, which was published last month. Of the companies that lost data, 23 percent blamed insiders inadvertently losing data; another 14 percent of breaches were blamed on a broken business process.

In another survey released last year, Symantec researchers found that, of SMBs that suffered at least one breach, 44 percent blamed a lost device, nearly 40 percent blamed human error, and nearly 20 percent attributed the loss to outdated security procedures or inadequate employee training.

The problem, some experts say, is that small business employees are increasingly mixing personal and business technology. SMBs that are not prepared to deal with smartphones, social networks, and other emerging technologies will find their security suffers, says Alex Eckelberry, general manager of security firm GFI. Companies that employ the youngest generation of workers face this problem in spades, he says.

"In the past, companies made it clear that you are on their network and, if you do anything bad, you will be kicked off," Eckelberry says. "Today there are companies out there that say, 'Here's $2,000 -- go buy whatever you want, and the IT department will secure it."

To make matters worse, workers who employ these next-generation technologies are usually not educated in the online threats that could target an SMB, says Alex Hutton, principal on research and intelligence for the Verizon Business RISK team. A lack of training can lead to employees inadvertently giving the attacker a hand into the company's network, he says.

In its annual data breach report, Verizon Business found that insider errors were a factor in two-thirds of all breaches it investigated on behalf of clients.

"[The attacks] may be originating from the outside, but we [employees] are doing all we can to help them in,” Hutton says.

To take advantage of uneducated employees, online attacks against companies are becoming increasingly complex, says Ted DeZabala, national leader of the security and privacy services practice at Deloitte. In one case investigated by the firm, online attackers added employees a one midsize company's payroll and had the paychecks deposited into accounts it owned.

"This was going on for months and months," DeZabala says. "What we are seeing is that even companies that have very robust program -- and are diligent with patching and dealing with vulnerabilities -- are not equipped to deal with highly sophisticated malware that is spreading in the marketplace.”

Small and midsize businesses should educate employees about online threats, just as they do about physical threats, experts say.

"A huge part [of prevention] is awareness," Hutton says. "I used to do awareness programs in small banks, and the tellers are always nervous about physical threats, so [the banks] are never shy about spending money on physical security.”

Some SMBs might shy away from security tools and practices because of the cost, but technically savvy companies can prevent many leaks without spending a dime, experts say.

For example, most browsers now dynamically check links against a known list of bad sites, preventing accidental surfing to malicious destinations. A "clean" DNS service, such as OpenDNS, can also help employees avoid malicious sites. And companies can update their firewalls with block lists provided by one of the many free services that offer them, such as, Eckelberry says.

Patching is also a critical element in protecting against unintentional data leaks, but companies shouldn't focus only on operating system patches, observers say. All applications -- especially ubiquitous ones, such as Adobe Acrobat and Flash -- need to patched as soon as possible.

"A lot of this stuff is free," Eckelberry says. "That's what makes it so painful that companies are not doing it."

SMBs should also watch their employees carefully, Deloitte's DeZabala says. While some companies attempt to ban social networks, these sites are becoming an important business tool -- it's better to monitor the users, he says. In smaller companies, monitoring can be as simple as managers friending their workers on social networks.

But be sure you can handle the data you're monitoring, DeZabala advises. "Monitoring is a double-edged sword," he says. "More monitoring means more data you have to collect and analyze -- and the more data you collect, the less chance that you will use it.”

Data-loss protection (DLP) systems and services can stop users from unintentionally disclosing information they should keep confidential, experts note. Such systems can monitor email and Web postings for confidential information, while programs designed to manage devices can often prevent inadvertent or malicious copying of data to USB devices.

Training employees to think about their online actions is another big part of the solution, experts say. Unified threat management (UTM) systems and layered defenses can help -- but even with depth and redundancy, they are not always going to work.

"If it is a targeted attack, that is going to be problematic," Hutton says. "The vast majority of malware is customized every day, and so signature-based solutions are of limited use."

Even antivirus vendors warn their solutions are not enough.

"A lot of people will buy one product and expect it to do everything -- and it doesn't," says GFI's Eckelberry, which recently bought security application maker Sunbelt Software. "In the past, you could rely on your AV product to catch everything, but it can't anymore. I have some of the coolest technology in the world, but I know what it is like out there. It will not catch everything."

Companies should secure employees against their own behavior just as a parent childproofs a house, Eckelberry says. "It may be a terrible analogy," he says, "but as an IT manager, you have to expect that users are gong to bumble around and break glass objects."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/ in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.