Application Security

8/24/2018
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Half of Small Businesses Believe They're Not Cybercrime Targets

New SMB version of the NIST Cybersecurity Framework could help these organizations properly assess and respond to their security risks.

Even with increased public awareness of cybersecurity threats, small- to midsized businesses (SMBs) mostly remain behind the curve: some 51% of SMB leaders are convinced their companies are not a target for cybercrime.

Meanwhile, 76% of them say they haven't activated multifactor authentication (MFA) for their enterprise email accounts, according to a new report released today from Switchfast Technologies. 

"Frankly, we see similar numbers for MDM [mobile device management]" MFA adoption as well, says Nik Vargas, CTO for Switchfast. He says a single breach can cost a small business up to $130,000, mostly for legal work, cyber remediation, and reputational damage.

Meanwhile, the federal government is giving SMBs an assist: President Trump signed the NIST Small Business Cybersecurity Act last week, which directs NIST to develop a streamlined version of its famed Cybersecurity Framework.

"The fact that the federal government has made this a focus is a positive step," Vargas says. "Of course, one of the real dangers is that small businesses can be a launching pad for much larger attacks on government sites and the large commercial giants."

The reality of SMB security challenges for some time has been painfully obvious: a Ponemon Institute report in 2016 that found that roughly half of the nation's 30 million small businesses had been breached. And the new Switchfast report demonstrates that there's still plenty of work to do to get SMBs up to speed in securing their systems.

Daniel Eliot, director of small business education at the National Cyber Security Alliance, looks for NIST to offer a simplified version of its framework, plus some tools he can use in the NCSA’s small business workshops.

"The idea is to make security approachable to small businesspeople, not to use scare tactics," Eliot says. "I'm glad Congress recognizes the unique need of small businesses, that they typically lack the bodies or budget to do cybersecurity well."

NIST's Cybersecurity Framework provides a way for organizations to assess their security risk, and provides guidelines for  protecting, detecting and responding to cyber threats. 

Kevin Stine, chief of the applied cybersecurity division in NIST's Information Technology Lab, says NIST's work on SMB security will come from existing agency funding.

"I don't envision grants being made available to small businesses and there won't be a list of preferred products; that's not what NIST does," Stine explains. "NIST has supported small businesses since the early 2000s, so I think we can hit the ground running. Our support may not always be with documents; it may also come in the form of video clips and info graphics that will be useful to small businesses."

Bill Conner, CEO of SonicWall, says it's good news to get the feds' support for SMBs. "The government finally understands the importance of SMBs and plans to put some resources to better understand the risk factor, that SMBs really are not prepared," Conner says.  

Switchfast's Vargas says his company's focus on small businesses started with the first ransomware cases in 2013. In the past, SMB owners could pass off viruses as minor annoyances (think pop-ups) that caused computers to slow down, he says. But once ransomware hit, it became clear that companies could lose money or data - and SMBs were targets, too.

"Small business leaders have to become security champions and communicate it to the staff," he says. "They have to explain to employees that security it not just about protecting the boss's Mercedes Benz. They have to understand that their W2s or tax refunds can be stolen, so cybercrime affects them, too."

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/29/2018 | 11:01:14 PM
Point of password pedantry
"76% of them say they haven't activated multifactor authentication"

Of those who say that they have, I'd further wonder how many of those are correct -- i.e., truly know what MFA means.

(Classic example of confusion: A password + a password hint is not MFA. It's the same factor ("something you know") duplicated.)
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/29/2018 | 10:10:44 AM
Re: As a managed services consultant
All comments appreciated and the two largest impediments to Small Business being security aware is Knowledge and Cost of that Knowledge.  Having a CISSP on staff is totally unwaranted expense - there is not that much demand for full-time work and salary?  Forget it.  THIS is where the consultant can play and needs to play a key, leading role.  And most consultants understand servers, active directory, backups, etc and oh scan with malwarebytes --- but not much more than that and have to have an in-depth knowledge of multilple lan networks.  The larger managed services shops can also play a larger role than they do.  
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:37:16 AM
Re: As a managed services consultant
It is therefore the explicit job of the consultant to educate, advise and prep for cyber security I would agree. I do not know if consultants really get any opportunity to educate, they cost too. So still the same problem: Money.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:34:30 AM
Re: As a managed services consultant
But the lack insight, concentrating immed on their own problemsas they have to and do not have insight. This makes sense. Not having insight on cybercrime is main problem. If they can just read the news that may help them a lot I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:32:08 AM
Re: As a managed services consultant
They are not CHEAP but some owners just are One of the ways for them to be secure is to use cloud solutions instead of on-prem systems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:32:07 AM
Re: As a managed services consultant
They are not CHEAP but some owners just are One of the ways for them to be secure is to use cloud solutions instead of on-prem systems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:30:13 AM
Re: As a managed services consultant
small businesses have no idea of IT protocols and hesitate to write checks for any investments. I agree. Money is one of the reasons why they may not want to pay attention to cyber security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:28:12 AM
51%
This is really a high number. It is hard to understand how anybody would still think that thier organization is not target.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/27/2018 | 3:39:10 PM
As a managed services consultant
i used to support small businesses before moving south and into cyber security but in general small businesses have no idea of IT protocols and hesitate to write checks for any investments.  They are not CHEAP but some owners just are.  Some of them I hated and some paid me on the spot.  But the lack insight, concentrating immed on their own problemsas they have to and do not have insight.  It is therefore the explicit job of the consultant to educate, advise and prep for cyber security issues of all kinds.  Some wil llisten and some will not.  All will get attacked.  
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19349
PUBLISHED: 2018-11-17
In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php topic parameter because of mishandling in include/mkhtml.func.php.
CVE-2018-19350
PUBLISHED: 2018-11-17
In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element.
CVE-2018-19341
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation near NULL starting at FoxitReader...
CVE-2018-19342
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation starting at U3DBrowser+0x00000000...
CVE-2018-19343
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read), obtain sensitive information, or possibly have unspecified other impact via a U3D sample because of a "Data from Faul...