Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/24/2018
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Half of Small Businesses Believe They're Not Cybercrime Targets

New SMB version of the NIST Cybersecurity Framework could help these organizations properly assess and respond to their security risks.

Even with increased public awareness of cybersecurity threats, small- to midsized businesses (SMBs) mostly remain behind the curve: some 51% of SMB leaders are convinced their companies are not a target for cybercrime.

Meanwhile, 76% of them say they haven't activated multifactor authentication (MFA) for their enterprise email accounts, according to a new report released today from Switchfast Technologies. 

"Frankly, we see similar numbers for MDM [mobile device management]" MFA adoption as well, says Nik Vargas, CTO for Switchfast. He says a single breach can cost a small business up to $130,000, mostly for legal work, cyber remediation, and reputational damage.

Meanwhile, the federal government is giving SMBs an assist: President Trump signed the NIST Small Business Cybersecurity Act last week, which directs NIST to develop a streamlined version of its famed Cybersecurity Framework.

"The fact that the federal government has made this a focus is a positive step," Vargas says. "Of course, one of the real dangers is that small businesses can be a launching pad for much larger attacks on government sites and the large commercial giants."

The reality of SMB security challenges for some time has been painfully obvious: a Ponemon Institute report in 2016 that found that roughly half of the nation's 30 million small businesses had been breached. And the new Switchfast report demonstrates that there's still plenty of work to do to get SMBs up to speed in securing their systems.

Daniel Eliot, director of small business education at the National Cyber Security Alliance, looks for NIST to offer a simplified version of its framework, plus some tools he can use in the NCSA’s small business workshops.

"The idea is to make security approachable to small businesspeople, not to use scare tactics," Eliot says. "I'm glad Congress recognizes the unique need of small businesses, that they typically lack the bodies or budget to do cybersecurity well."

NIST's Cybersecurity Framework provides a way for organizations to assess their security risk, and provides guidelines for  protecting, detecting and responding to cyber threats. 

Kevin Stine, chief of the applied cybersecurity division in NIST's Information Technology Lab, says NIST's work on SMB security will come from existing agency funding.

"I don't envision grants being made available to small businesses and there won't be a list of preferred products; that's not what NIST does," Stine explains. "NIST has supported small businesses since the early 2000s, so I think we can hit the ground running. Our support may not always be with documents; it may also come in the form of video clips and info graphics that will be useful to small businesses."

Bill Conner, CEO of SonicWall, says it's good news to get the feds' support for SMBs. "The government finally understands the importance of SMBs and plans to put some resources to better understand the risk factor, that SMBs really are not prepared," Conner says.  

Switchfast's Vargas says his company's focus on small businesses started with the first ransomware cases in 2013. In the past, SMB owners could pass off viruses as minor annoyances (think pop-ups) that caused computers to slow down, he says. But once ransomware hit, it became clear that companies could lose money or data - and SMBs were targets, too.

"Small business leaders have to become security champions and communicate it to the staff," he says. "They have to explain to employees that security it not just about protecting the boss's Mercedes Benz. They have to understand that their W2s or tax refunds can be stolen, so cybercrime affects them, too."

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/27/2018 | 3:39:10 PM
As a managed services consultant
i used to support small businesses before moving south and into cyber security but in general small businesses have no idea of IT protocols and hesitate to write checks for any investments.  They are not CHEAP but some owners just are.  Some of them I hated and some paid me on the spot.  But the lack insight, concentrating immed on their own problemsas they have to and do not have insight.  It is therefore the explicit job of the consultant to educate, advise and prep for cyber security issues of all kinds.  Some wil llisten and some will not.  All will get attacked.  
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:30:13 AM
Re: As a managed services consultant
small businesses have no idea of IT protocols and hesitate to write checks for any investments. I agree. Money is one of the reasons why they may not want to pay attention to cyber security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:32:07 AM
Re: As a managed services consultant
They are not CHEAP but some owners just are One of the ways for them to be secure is to use cloud solutions instead of on-prem systems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:32:08 AM
Re: As a managed services consultant
They are not CHEAP but some owners just are One of the ways for them to be secure is to use cloud solutions instead of on-prem systems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:34:30 AM
Re: As a managed services consultant
But the lack insight, concentrating immed on their own problemsas they have to and do not have insight. This makes sense. Not having insight on cybercrime is main problem. If they can just read the news that may help them a lot I would say.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/29/2018 | 10:10:44 AM
Re: As a managed services consultant
All comments appreciated and the two largest impediments to Small Business being security aware is Knowledge and Cost of that Knowledge.  Having a CISSP on staff is totally unwaranted expense - there is not that much demand for full-time work and salary?  Forget it.  THIS is where the consultant can play and needs to play a key, leading role.  And most consultants understand servers, active directory, backups, etc and oh scan with malwarebytes --- but not much more than that and have to have an in-depth knowledge of multilple lan networks.  The larger managed services shops can also play a larger role than they do.  
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:37:16 AM
Re: As a managed services consultant
It is therefore the explicit job of the consultant to educate, advise and prep for cyber security I would agree. I do not know if consultants really get any opportunity to educate, they cost too. So still the same problem: Money.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2018 | 9:28:12 AM
51%
This is really a high number. It is hard to understand how anybody would still think that thier organization is not target.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/29/2018 | 11:01:14 PM
Point of password pedantry
"76% of them say they haven't activated multifactor authentication"

Of those who say that they have, I'd further wonder how many of those are correct -- i.e., truly know what MFA means.

(Classic example of confusion: A password + a password hint is not MFA. It's the same factor ("something you know") duplicated.)
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11976
PUBLISHED: 2020-08-11
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
CVE-2020-13179
PUBLISHED: 2020-08-11
Broker Protocol messages in Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to 20.04.1 are not cleaned up in server memory, which may allow an attacker to read confidential information from a memory dump via forcing a crashing during the single sign-on procedure.
CVE-2020-8918
PUBLISHED: 2020-08-11
An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth'...
CVE-2020-9244
PUBLISHED: 2020-08-11
HUAWEI Mate 20 versions Versions earlier than 10.1.0.160(C00E160R3P8);HUAWEI Mate 20 Pro versions Versions earlier than 10.1.0.270(C431E7R1P5),Versions earlier than 10.1.0.270(C635E3R1P5),Versions earlier than 10.1.0.273(C636E7R2P4);HUAWEI Mate 20 X versions Versions earlier than 10.1.0.160(C00E160R...
CVE-2020-9403
PUBLISHED: 2020-08-11
In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in a recoverable format, and may be retrieved by any user with access to the PACTware workstation.