Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/4/2015
10:30 AM
Gustavo Zeidan
Gustavo Zeidan
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Power of Prevention: What SMBs Need to Know About Cybersecurity

There is no such thing as a company that can't afford security. But where do you start?

Many SMB’s today have the mindset that they are "not big enough” to be targeted by cyber criminals. Having smaller budgets than their enterprise counterparts, SMB’s are also often not willing to invest in adequate protection. As a result, many SMBs fail to both prevent breaches and respond effectively when they are breached.

A successful attack can cost hundreds of thousands, even millions of dollars. For an SMB with limited financial resources, the damage can be catastrophic. There’s no such thing as a company that "can’t afford" security. But where do you begin? Here are four steps to get you started.

Step 1: Understand the real threat – it’s not about compliance
Many SMB’s make two very common errors. First of all, they believe that they are not a target. In years past, the Verizon Data Breach Investigations Report has noted that 60% of all successful attacks were aimed at the SMB -- not the Target and Home Depot’s of the world. Why? SMB’s typically do not have the expertise, resources, or processes required to appropriately monitor and manage security products in their environment. Interestingly, while Verizon didn’t look at the percentage of SMBs successfully attacked in its 2015 report, they did find that the cost of a breach is not necessarily lower for small businesses. However, larger organizations do have higher losses per breach, but really only because they typically lose more records.

Another reason is that many SMB’s believe that if they are compliant, whether it’s HIPPA, GLBSA, SOX, or others, that they are also secure. The reality is that it is possible to be 100 percent compliant yet 100 percent insecure. Compliance does not equal security, or vice versa. Compliance, depending on the regulatory body you are dealing with, can address only those aspects of security required to protect the data in question. Security is a much more holistic strategy, involving multiple data/access sources and threat vectors. Achieving compliance will not make you secure. Being secure may not make you compliant, as there is no such thing as 100 percent security. Focus must be brought to bear on both independently.

Step 2: Security is a business imperative
According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year. And of those, some 60% go out of business within six months of an attack. You need to protect your business, but a McAfee study showed that almost 90% of SMBs do not adequately protect their data. Often SMB’s believe that security boils down to technology purchases, when in reality, technology products are only part of the equation. Technology tools aid in implementing security policies that protect the business, but without the right people and the right processes behind the technology, an SMB is not fully protected.

As a business you should: know where your business vulnerabilities are (data, bank account access, and operational dependencies); be able to quantify the impact of any business vulnerabilities that are compromised; determine what risk is acceptable and what risk must be eliminated and have implemented the technology, people, and processes that are necessary to eliminate that risk.

At the end of the day, security is a business decision, not a technology decision.

Step 3: Put your investment where the threat is the greatest
An SMB security budget is often an afterthought and, as a result, small. There are numerous vendors that will sell you point products for every attack vector known to man or woman. By understanding your business and its vulnerability points, you can prioritize your investment in technologies and resources that will mitigate that threat.

When investing in your security strategy, it is important to consider the additional expenditures required to make your technology decisions effective. Regardless of the technology tool purchased, you must also have trained resources – people -- who can configure and manage the tool; alerting capability during non-business hours so you know when a threat has been detected; and senior-level, expert practitioners who know how to respond to and remediate threats before damage can be done.

A tool is only as good as the expertise of the person using it.

Step 4: Chose the right partner
SMB’s are focused on growing their business, not building an IT department. Often in a small business, the owner is also the IT manager, and, in many cases, the SMB has a partner that has, in effect, become their outsourced IT department, providing hardware, implementation services, break-fix, and even hands-on management services. Those partners advise SMB owners on what new products to buy, but when it comes to security, you can be left “holding the bag” when an event occurs.

In choosing security partners, consider their level of expertise, resources, and 24x7 infrastructure. They should be knowledgeable about security products, but also have the capability to deliver security services that detect and remediate threats. Putting the right security strategy in place to mitigate threats that can jeopardize your business is not just a good idea – it’s mandatory to sustain and grow your business.

Gustavo has over 17 years of experience across a range of technologies and industries with emphasis on security strategy, management, architecture, and security protocols. Gustavo graduated with an MBA from Cranfield School of Management in the United Kingdom and acquired ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/15/2015 | 3:19:28 PM
Re: Scared yet, Bro?
I like your racing analogy, it helps point at what I'm talking about. Only the big boys can afford to play in professional racing, for both safety and performance based reasons. Everyone else is priced out. That's exactly a very real scenario for SMB's to do business with the internet involved.

Unless these insecure operating systems that allow installing a RAT into the o/s when a naive user clicks on wrong email attachment or website link are fixed, everything you say is correct. But you predict that will continue forever because your entire business exists because of this. I work on a system everyday where that is impossible.

Check out the IBM i5 (formally AS400) server o/s and you'll see an example of a system that can't be corrupted at that core level. The issue is that is not a client o/s where email and web browsing takes place. If client o/s had a similar design based on old mainframe security, we wouldn't have these issues. People chose these because they were cheap and you could train a monkey to use GUI. Bill Gates got rich on system where security was an afterthought. Connect those to a network designed to easily connect some colleges together, again where security was not a consideration, and you arrive where we are today.

At some point, someone is going to start over on client o/s and harden it. No more installed RATs and keystroke loggers and encrypting your files for ransom. Period. Yeah, we'll still have DoS attacks and account/password cracking if your server exposed to internet. But it's this covert installation of privileged programs that are doing the real damage. And that can be stopped, no question about it.

Something has to give. I'm sure your business has integrity, as do most of security firms like you. But think about it, who gains the most from this insecure world: The bad guys or security firms? From a pure business point of view, you have no motivation to ever see these holes closed anymore than defense contractors want world peace. The solution has to come from people creating the software and protocols that allow the exploits to work in the first place.
vijilanblog
50%
50%
vijilanblog,
User Rank: Author
12/15/2015 | 2:39:24 PM
Re: treating the symptoms
Security spend is actually increasing 9% CAGR as a result of the high profile breaches that have made the news.  Businesses have always had to make difficult decisions between security spend and the acceptable level of risk.  Many are realizing that the level of risk has increased and therefore their spend must also increase.  

Vendors are constantly improving the security of their products and services.  While 100% secure is the ultimate goal, it is also extremely difficult, if not impossible, to acheive.  Taking on the liability of a breach would result in significant cost increases across the board.  More sensible and cost effective measures can taken to deliver an acceptable level of protection.
vijilanblog
50%
50%
vijilanblog,
User Rank: Author
12/15/2015 | 2:27:08 PM
Re: Scared yet, Bro?
You are accurate that very small businesses, especially startups, run on a very tight budget and typically have a "Best Buy" mentality when it comes to network and security products.  While the risk is still present, they chose to accept that risk, spending minimally on security.  Small (25-200 employees) and medium-sized businesses (200 to 1000 employees) are increasingly a target, both for proprietary and PII data as well as direct bank account access.  Yes, there's additional cost to keep up with the changing threat.  But the game has changed, and continues to change.  I liken it to the racing industry.  As cars get more powerful, faster, lighter, the risk to the drive goes up as well.  New protection features, like the tethering of aero components to limit the debris that can hit another driver in Indy Car racing, results in increased cost, but it's necessary to protect both the driver and racing fans.  Security also parrallels racing in that changes are often not made until disaster happens.  

There are no guarntees in racing or security - except that at some point you will be a target.  There is no 100% in security as, for every new stride made in protection, there's a cyber-criminal creating new ways to get around it.  When that happens, monitoring of those infrastructure devices is critical to detect the threat and remediate it in time before damange occurs.   Does this really happen?  In alarming numbers.  Every customer we've turned up this year has had some ongoing infestation or attack - and they had no idea.   

Should anyone be scared?  No.  That's not the message.  Should they take proper precautions?  Absolutely.  
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/7/2015 | 2:07:50 PM
Scared yet, Bro?
None of what you say is wrong, just misses the point. Before internet security, new businesses already had a 70-90% fail rate and operated on a shoestring budget, sometimes barely making payroll.

Now there is this added cost of doing business, internet security, which adds as much value to their business as putting a new roof adds to your house appraisal. And it isn't like buying insurance, where you are guaranteed certain benefits if you place burns down. Some small businesses can barely afford that. So now you want to convince them to pay for a service which has absolutely no guarantee it can protect them from anything?

Am I wrong? If someone contracts with your company for security services, is it in the contract that you are liable for any and all costs of a breach? Yeah, I didn't think so. That's why this is such a mess.

As previous poster suggested, until infrastructure is tightened up where these easy to exploit holes exist (think mainframes back in the day before we knew the word hacker, where only an inside job could work), there is no solving this problem. SMB's can slowly bleed to death on this extra cost of doing business or take the risk it may not happen to them. Statistically, they are still in pretty good shape. Not every company has data which can be monetized, leaving ransomware out of it. And you can't fix ransomware, only the Microsoft's of the world who produce o/s which is vulnerable can fix that.

Is there a role for people like you to educate SMB's on best practices? Absolutely. But can most afford to put people like you on retainer to monitor the expensive IDS they bought? Absolutely not.
macker490
50%
50%
macker490,
User Rank: Ninja
12/6/2015 | 8:52:49 AM
treating the symptoms
we spend so much effort treating the symptoms: track down this trojan; close this botnet; and patch this hole.   we are only treating the symptoms and all our efforts will go for naught until we summon the courage to correct the root of the problem: (1) insecure operating software, and (2) a general cavalier approach to authentication .   We have to put Security First -- in a Business Environment -- or get robbed blind .    systems that put ease of use and compatibility ahead of security are always going to be vulnerable.    this is actually a financial issue as in a business environment a lot of costs are involved.   this would strongly suggest it's time to address the question of Product Liability:    software builders need to be responsible for that part of the software that is under their control.
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18178
PUBLISHED: 2021-05-18
Path Traversal in HongCMS v4.0.0 allows remote attackers to view, edit, and delete arbitrary files via a crafted POST request to the component "/hcms/admin/index.php/language/ajax."
CVE-2020-20214
PUBLISHED: 2021-05-18
Mikrotik RouterOs 6.44.6 (long-term tree) suffers from an assertion failure vulnerability in the btest process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet.
CVE-2020-20222
PUBLISHED: 2021-05-18
Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
CVE-2020-20236
PUBLISHED: 2021-05-18
Mikrotik RouterOs 6.46.3 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
CVE-2020-20237
PUBLISHED: 2021-05-18
Mikrotik RouterOs 6.46.3 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.