Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/6/2017
10:30 AM
Todd Thibodeaux
Todd Thibodeaux
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Cyberattack: It Can't Happen to Us (Until It Does)

Just because your small or medium-sized business isn't as well known as Equifax or Yahoo doesn't mean you're immune to becoming a cybercrime victim.

Equifax likely has more brand-name recognition today than it's had at any time in the company's history, which dates back to 1899. It's a safe bet that the consumer credit reporting agency wishes that wasn't the case.

When well-known organizations are hit by a cybersecurity breach, it becomes front-page and top-of-the-hour news, because these cases affect tens of millions of consumers.

But just because your small or medium-sized business doesn't have tens of millions of customers, or the name recognition of a Target or a Yahoo, doesn't mean you're immune to becoming a cybercrime victim. In fact, there's a good chance that your SMB has been victimized and you don't know it.

The Identity Theft Resource Center has tracked security breaches since 2005. They estimate that 1,055,228,349 unique records containing personal identifying information have been compromised in nearly 8,000 data breaches that have occurred between January 1, 2005, and November 22, 2017.

If those numbers don't grab your attention, consider that the average cost for each lost or stolen record containing sensitive and confidential information is $141, according to the Ponemon Institute's "2017 Cost of Data Breach Study." That cost jumps for businesses in financial services ($245) and healthcare ($380). Those dollar amounts do not include the cost of notifying affected parties. They also don't account for damage to your reputation.

Are your company's pockets deep enough to weather that financial storm? Even if they are, wouldn't you rather spend that money on marketing your products and services, new R&D, or business expansion?

The notion that a business is too small to be a target of hackers or cyber criminals is simply not true. The bad guys are more sophisticated than ever, relying on artificial intelligence, bots, and other advanced methods to gain access to networks and data. Unfortunately, too many companies still choose to roll the dice, hoping they don't get hit or persist in the mindset that "it can't happen to me." That's an irresponsible position to take for any organization, of any size, let alone for one that holds sensitive consumer information.

What can a small business or a startup do to lessen the chance it becomes a cybercrime victim? Here are three commonsense steps that any business can take.

  1. Train Your Team: Whether you employ three people or 3,000, every one of them is a potential security risk. Human error continues to be the primary issue in most data breaches. Companies need to take extra precautions to assure they are practicing safe cybersecurity hygiene. It starts with training everyone in the organization on the security best practices that reduce online risks. But cybersecurity training can't be a one-and-done activity, or something that's only relevant to the IT department. Just like a fire drill, it needs to be a regular regimen, a refresher course for everyone in your organization.
  2. Assess Your Risk: Customer data, employee records, financial, legal, trade secrets, and other highly confidential information are the lifeblood of your company. When was the last time you conducted an inventory of all your data? Do you treat all data the same way, whether it's confidential (financials, employee records, contracts, trade secrets) or nonsensitive (sales brochures, marketing materials)? Most importantly, what security measures do you have in place to protect this data? In the event of a breach, what contingency plans do you have in place for business continuity and disaster recovery so that your company continues to function? Finally, are there plans in place to remediate the breach as quickly as possible and to notify customers and other affected parties?
  3. Ask for Help: Even if you've made a strong commitment to security, your responsibilities as a business owner or entrepreneur may keep you from devoting enough time to the task. That's especially true if you're managing the business's technology while running the business. If you have tech professionals on staff, encourage them to stay current with training and industry certifications. Certified tech pros are better equipped to spot problems before they happen and to stop breaches and intrusions quickly if they do happen. If you don't have IT personnel on staff, consider partnering with a technology company. There are many options available for pay-as-you-go technology services, and many reasons (reduced cost, predictable pricing, peace of mind) why businesses, small and large, choose to turn over some or all of their technology functions to a partner.

The tech industry is doing everything it can to provide products and services to combat cyberthreats as they emerge. But the best security technology products and the most comprehensive policies and processes will only work if companies are willing to use these tools and enforce the best practices to reduce their cybersecurity risk.

Related Content:

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .