Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/6/2017
10:30 AM
Todd Thibodeaux
Todd Thibodeaux
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Cyberattack: It Can't Happen to Us (Until It Does)

Just because your small or medium-sized business isn't as well known as Equifax or Yahoo doesn't mean you're immune to becoming a cybercrime victim.

Equifax likely has more brand-name recognition today than it's had at any time in the company's history, which dates back to 1899. It's a safe bet that the consumer credit reporting agency wishes that wasn't the case.

When well-known organizations are hit by a cybersecurity breach, it becomes front-page and top-of-the-hour news, because these cases affect tens of millions of consumers.

But just because your small or medium-sized business doesn't have tens of millions of customers, or the name recognition of a Target or a Yahoo, doesn't mean you're immune to becoming a cybercrime victim. In fact, there's a good chance that your SMB has been victimized and you don't know it.

The Identity Theft Resource Center has tracked security breaches since 2005. They estimate that 1,055,228,349 unique records containing personal identifying information have been compromised in nearly 8,000 data breaches that have occurred between January 1, 2005, and November 22, 2017.

If those numbers don't grab your attention, consider that the average cost for each lost or stolen record containing sensitive and confidential information is $141, according to the Ponemon Institute's "2017 Cost of Data Breach Study." That cost jumps for businesses in financial services ($245) and healthcare ($380). Those dollar amounts do not include the cost of notifying affected parties. They also don't account for damage to your reputation.

Are your company's pockets deep enough to weather that financial storm? Even if they are, wouldn't you rather spend that money on marketing your products and services, new R&D, or business expansion?

The notion that a business is too small to be a target of hackers or cyber criminals is simply not true. The bad guys are more sophisticated than ever, relying on artificial intelligence, bots, and other advanced methods to gain access to networks and data. Unfortunately, too many companies still choose to roll the dice, hoping they don't get hit or persist in the mindset that "it can't happen to me." That's an irresponsible position to take for any organization, of any size, let alone for one that holds sensitive consumer information.

What can a small business or a startup do to lessen the chance it becomes a cybercrime victim? Here are three commonsense steps that any business can take.

  1. Train Your Team: Whether you employ three people or 3,000, every one of them is a potential security risk. Human error continues to be the primary issue in most data breaches. Companies need to take extra precautions to assure they are practicing safe cybersecurity hygiene. It starts with training everyone in the organization on the security best practices that reduce online risks. But cybersecurity training can't be a one-and-done activity, or something that's only relevant to the IT department. Just like a fire drill, it needs to be a regular regimen, a refresher course for everyone in your organization.
  2. Assess Your Risk: Customer data, employee records, financial, legal, trade secrets, and other highly confidential information are the lifeblood of your company. When was the last time you conducted an inventory of all your data? Do you treat all data the same way, whether it's confidential (financials, employee records, contracts, trade secrets) or nonsensitive (sales brochures, marketing materials)? Most importantly, what security measures do you have in place to protect this data? In the event of a breach, what contingency plans do you have in place for business continuity and disaster recovery so that your company continues to function? Finally, are there plans in place to remediate the breach as quickly as possible and to notify customers and other affected parties?
  3. Ask for Help: Even if you've made a strong commitment to security, your responsibilities as a business owner or entrepreneur may keep you from devoting enough time to the task. That's especially true if you're managing the business's technology while running the business. If you have tech professionals on staff, encourage them to stay current with training and industry certifications. Certified tech pros are better equipped to spot problems before they happen and to stop breaches and intrusions quickly if they do happen. If you don't have IT personnel on staff, consider partnering with a technology company. There are many options available for pay-as-you-go technology services, and many reasons (reduced cost, predictable pricing, peace of mind) why businesses, small and large, choose to turn over some or all of their technology functions to a partner.

The tech industry is doing everything it can to provide products and services to combat cyberthreats as they emerge. But the best security technology products and the most comprehensive policies and processes will only work if companies are willing to use these tools and enforce the best practices to reduce their cybersecurity risk.

Related Content:

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10102
PUBLISHED: 2019-07-22
The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper Input Validation. The impact is: The attacker can remotely execute any commands by sending malicious http request to the controller. The component is: Method runJavaCompiler in YangLiveCompilerManager.java. The attack vector is: ne...
CVE-2019-10102
PUBLISHED: 2019-07-22
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
CVE-2019-10102
PUBLISHED: 2019-07-22
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections ...
CVE-2019-9959
PUBLISHED: 2019-07-22
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
CVE-2019-4236
PUBLISHED: 2019-07-22
A IBM Spectrum Protect 7.l client backup or archive operation running for an HP-UX VxFS object is silently skipping Access Control List (ACL) entries from backup or archive if there are more than twelve ACL entries associated with the object in total. As a result, it could allow a local attacker to ...