Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

7/12/2019
02:30 PM
50%
50%

Competing Priorities Mean Security Risks for Small Businesses

Small business IT professionals are trying to balance multiple priorities and finding that the balance often leaves the company with serious security risks.

IT professionals at small businesses face a number of competing priorities. They're generally individuals or small teams charged to "to it all," from great customer user experience to company security. And 98% think the employees at their companies could be doing more to help on the security front.

A new report, based on a survey sponsored by LastPass and conducted by Vanson Bourne, finds competing priorities lead to competing objectives for improving security. Among their security objectives for the coming year, more than 50% of the 700 professionals who responded to the survey cited securing data (75%), securing new technologies as they're adopted (68%), reducing risk (66%), and upgrading identify access management (65%).

All of those, and especially identity management, are made more difficult because of all the other requirements these all-purpose IT professionals need to balance. Forty-seven percent say they have to balance ease of use against security, while 37% cite employee demands for greater ease of use as a competing requirement.

The critical nature of finding the proper balance is illustrated by another finding, that 82% of respondents say their businesses have been exposed to a risk as a result of poor identity and access practices.

Read more here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/22/2019 | 7:56:33 AM
Re: Think of quality

One thing companies could do would be to purchase Intelligent CyberSecurity software and then have the company show them how to use it (demos, coming to the site or remote configuration). They often offer these services as part of the overall purchase especially if it is more than one, this could be an option, the company just needs one person who is technically savvy. - Todd

 
MarkSindone
50%
50%
MarkSindone,
User Rank: Apprentice
7/22/2019 | 5:32:38 AM
Think of quality
It is expected of small companies to have their employees handle almost every single processes of their businesses from A to Z. It is just part and parcel of their business plan to ensure they become cost-efficient and that business processes can be carried out. However, the quality of each process is what is actually being sacrificed. Businesses need to consider this fact should there be extreme repercussions on their own company in the long run.
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/19/2019 | 10:14:56 AM
Re: need title line, insert in column X
Small business IT professionals are trying to balance multiple priorities and finding that the balance often leaves the company with serious security risks.

Nathan, you bring up valid points about entrepreneurship but how is that tied into the discussion as it relates to security and the question posed (companies are trying to balance priorities and risks could be overlooked). I think that was the question.

For example, if someone is building boats, but they don't have in-depth knowledge of the computer system and the accounting they have, they could be affected by external actors (hackers). I think that is where they were getting at. This is a reasonable assumption that is the reason myself and the other gentlemen stated that it may be good to have a security consultant to help address some of those problem areas (just like a doctor, except data and the protection of data, is the life-line that is vital to the business operations).

T
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
7/19/2019 | 4:30:20 AM
need title line, insert in column X
IS it really very surprising that there are people out there in the world that have a desire to manufacture something of their own? We're not just talking about replicating the components that are available out there in the industry, but about people innovating and being entrepreneural about it! Who knows what kind of devices and hardware that therse people can come up with that might just be the next big thing!
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/15/2019 | 9:12:10 AM
Re: Security Consultant could enhance your security posture
True - small business cannot afford a large CSirt department or a full time SOC engineer - so a consultant is a perfect compromise.  I know - i supported small business and offices in a managed services capacity and dealt with security and ransomware outbreaks.   And let us not forget Budget - they don't generally have a big one so a consultant has to think well outside of the box.  You won't see massive Carbon Black or Crowdstrike deployments and innovative software has to be used creatively.  And sometimes writing a check can be an issue too.  I saved an entire 501C3 from total ransomware meltdown in 3 hours- should have charged alot more than i did. 
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/12/2019 | 7:18:55 PM
Security Consultant could enhance your security posture
What's wrong with bringing in a security consultant to help put the security framework together?
It does not have to be a lot, just enough to jumpstart the security process.

This could be a strategic advantage when developing relationships with other vendors or clients.

Just a thought.

Todd
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13096
PUBLISHED: 2019-07-22
TronLink Wallet 2.2.0 stores user wallet keystore in plaintext and places them in insecure storage. An attacker can read and reuse the user keystore of a valid user via /data/data/com.tronlink.wallet/shared_prefs/<wallet-name>.xml to gain unauthorized access.
CVE-2019-13097
PUBLISHED: 2019-07-22
The application API of Cat Runner Decorate Home version 2.8.0 for Android does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. Attackers can manipulate users' score parameters exchanged between client and server.
CVE-2019-10102
PUBLISHED: 2019-07-22
OFFIS.de DCMTK 3.6.3 and below is affected by: Buffer Overflow. The impact is: Possible code execution and confirmed Denial of Service. The component is: DcmRLEDecoder::decompress() (file dcrledec.h, line 122). The attack vector is: Many scenarios of DICOM file processing (e.g. DICOM to image conver...
CVE-2019-12326
PUBLISHED: 2019-07-22
Missing file and path validation in the ringtone upload function of the Akuvox R50P VoIP phone 50.0.6.156 allows an attacker to upload a manipulated ringtone file, with an executable payload (shell commands within the file) and trigger code execution.
CVE-2019-13100
PUBLISHED: 2019-07-22
The Send Anywhere application 9.4.18 for Android stores confidential information insecurely on the system (i.e., in cleartext), which allows a non-root user to find out the username/password of a valid user via /data/data/com.estmob.android.sendanywhere/shared_prefs/sendanywhere_device.xml.