Application Security

8/24/2018
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Half of Small Businesses Believe They're Not Cybercrime Targets

New SMB version of the NIST Cybersecurity Framework could help these organizations properly assess and respond to their security risks.

Even with increased public awareness of cybersecurity threats, small- to midsized businesses (SMBs) mostly remain behind the curve: some 51% of SMB leaders are convinced their companies are not a target for cybercrime.

Meanwhile, 76% of them say they haven't activated multifactor authentication (MFA) for their enterprise email accounts, according to a new report released today from Switchfast Technologies. 

"Frankly, we see similar numbers for MDM [mobile device management]" MFA adoption as well, says Nik Vargas, CTO for Switchfast. He says a single breach can cost a small business up to $130,000, mostly for legal work, cyber remediation, and reputational damage.

Meanwhile, the federal government is giving SMBs an assist: President Trump signed the NIST Small Business Cybersecurity Act last week, which directs NIST to develop a streamlined version of its famed Cybersecurity Framework.

"The fact that the federal government has made this a focus is a positive step," Vargas says. "Of course, one of the real dangers is that small businesses can be a launching pad for much larger attacks on government sites and the large commercial giants."

The reality of SMB security challenges for some time has been painfully obvious: a Ponemon Institute report in 2016 that found that roughly half of the nation's 30 million small businesses had been breached. And the new Switchfast report demonstrates that there's still plenty of work to do to get SMBs up to speed in securing their systems.

Daniel Eliot, director of small business education at the National Cyber Security Alliance, looks for NIST to offer a simplified version of its framework, plus some tools he can use in the NCSA’s small business workshops.

"The idea is to make security approachable to small businesspeople, not to use scare tactics," Eliot says. "I'm glad Congress recognizes the unique need of small businesses, that they typically lack the bodies or budget to do cybersecurity well."

NIST's Cybersecurity Framework provides a way for organizations to assess their security risk, and provides guidelines for  protecting, detecting and responding to cyber threats. 

Kevin Stine, chief of the applied cybersecurity division in NIST's Information Technology Lab, says NIST's work on SMB security will come from existing agency funding.

"I don't envision grants being made available to small businesses and there won't be a list of preferred products; that's not what NIST does," Stine explains. "NIST has supported small businesses since the early 2000s, so I think we can hit the ground running. Our support may not always be with documents; it may also come in the form of video clips and info graphics that will be useful to small businesses."

Bill Conner, CEO of SonicWall, says it's good news to get the feds' support for SMBs. "The government finally understands the importance of SMBs and plans to put some resources to better understand the risk factor, that SMBs really are not prepared," Conner says.  

Switchfast's Vargas says his company's focus on small businesses started with the first ransomware cases in 2013. In the past, SMB owners could pass off viruses as minor annoyances (think pop-ups) that caused computers to slow down, he says. But once ransomware hit, it became clear that companies could lose money or data - and SMBs were targets, too.

"Small business leaders have to become security champions and communicate it to the staff," he says. "They have to explain to employees that security it not just about protecting the boss's Mercedes Benz. They have to understand that their W2s or tax refunds can be stolen, so cybercrime affects them, too."

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/29/2018 | 11:01:14 PM
Point of password pedantry
"76% of them say they haven't activated multifactor authentication"

Of those who say that they have, I'd further wonder how many of those are correct -- i.e., truly know what MFA means.

(Classic example of confusion: A password + a password hint is not MFA. It's the same factor ("something you know") duplicated.)
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/29/2018 | 10:10:44 AM
Re: As a managed services consultant
All comments appreciated and the two largest impediments to Small Business being security aware is Knowledge and Cost of that Knowledge.  Having a CISSP on staff is totally unwaranted expense - there is not that much demand for full-time work and salary?  Forget it.  THIS is where the consultant can play and needs to play a key, leading role.  And most consultants understand servers, active directory, backups, etc and oh scan with malwarebytes --- but not much more than that and have to have an in-depth knowledge of multilple lan networks.  The larger managed services shops can also play a larger role than they do.  
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:37:16 AM
Re: As a managed services consultant
It is therefore the explicit job of the consultant to educate, advise and prep for cyber security I would agree. I do not know if consultants really get any opportunity to educate, they cost too. So still the same problem: Money.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:34:30 AM
Re: As a managed services consultant
But the lack insight, concentrating immed on their own problemsas they have to and do not have insight. This makes sense. Not having insight on cybercrime is main problem. If they can just read the news that may help them a lot I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:32:08 AM
Re: As a managed services consultant
They are not CHEAP but some owners just are One of the ways for them to be secure is to use cloud solutions instead of on-prem systems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:32:07 AM
Re: As a managed services consultant
They are not CHEAP but some owners just are One of the ways for them to be secure is to use cloud solutions instead of on-prem systems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:30:13 AM
Re: As a managed services consultant
small businesses have no idea of IT protocols and hesitate to write checks for any investments. I agree. Money is one of the reasons why they may not want to pay attention to cyber security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:28:12 AM
51%
This is really a high number. It is hard to understand how anybody would still think that thier organization is not target.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/27/2018 | 3:39:10 PM
As a managed services consultant
i used to support small businesses before moving south and into cyber security but in general small businesses have no idea of IT protocols and hesitate to write checks for any investments.  They are not CHEAP but some owners just are.  Some of them I hated and some paid me on the spot.  But the lack insight, concentrating immed on their own problemsas they have to and do not have insight.  It is therefore the explicit job of the consultant to educate, advise and prep for cyber security issues of all kinds.  Some wil llisten and some will not.  All will get attacked.  
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: When they asked me to do a pen test, I wasn't thinking of this!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17182
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
CVE-2018-17144
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...