Risk

12/6/2017
10:30 AM
Todd Thibodeaux
Todd Thibodeaux
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Cyberattack: It Can't Happen to Us (Until It Does)

Just because your small or medium-sized business isn't as well known as Equifax or Yahoo doesn't mean you're immune to becoming a cybercrime victim.

Equifax likely has more brand-name recognition today than it's had at any time in the company's history, which dates back to 1899. It's a safe bet that the consumer credit reporting agency wishes that wasn't the case.

When well-known organizations are hit by a cybersecurity breach, it becomes front-page and top-of-the-hour news, because these cases affect tens of millions of consumers.

But just because your small or medium-sized business doesn't have tens of millions of customers, or the name recognition of a Target or a Yahoo, doesn't mean you're immune to becoming a cybercrime victim. In fact, there's a good chance that your SMB has been victimized and you don't know it.

The Identity Theft Resource Center has tracked security breaches since 2005. They estimate that 1,055,228,349 unique records containing personal identifying information have been compromised in nearly 8,000 data breaches that have occurred between January 1, 2005, and November 22, 2017.

If those numbers don't grab your attention, consider that the average cost for each lost or stolen record containing sensitive and confidential information is $141, according to the Ponemon Institute's "2017 Cost of Data Breach Study." That cost jumps for businesses in financial services ($245) and healthcare ($380). Those dollar amounts do not include the cost of notifying affected parties. They also don't account for damage to your reputation.

Are your company's pockets deep enough to weather that financial storm? Even if they are, wouldn't you rather spend that money on marketing your products and services, new R&D, or business expansion?

The notion that a business is too small to be a target of hackers or cyber criminals is simply not true. The bad guys are more sophisticated than ever, relying on artificial intelligence, bots, and other advanced methods to gain access to networks and data. Unfortunately, too many companies still choose to roll the dice, hoping they don't get hit or persist in the mindset that "it can't happen to me." That's an irresponsible position to take for any organization, of any size, let alone for one that holds sensitive consumer information.

What can a small business or a startup do to lessen the chance it becomes a cybercrime victim? Here are three commonsense steps that any business can take.

  1. Train Your Team: Whether you employ three people or 3,000, every one of them is a potential security risk. Human error continues to be the primary issue in most data breaches. Companies need to take extra precautions to assure they are practicing safe cybersecurity hygiene. It starts with training everyone in the organization on the security best practices that reduce online risks. But cybersecurity training can't be a one-and-done activity, or something that's only relevant to the IT department. Just like a fire drill, it needs to be a regular regimen, a refresher course for everyone in your organization.
  2. Assess Your Risk: Customer data, employee records, financial, legal, trade secrets, and other highly confidential information are the lifeblood of your company. When was the last time you conducted an inventory of all your data? Do you treat all data the same way, whether it's confidential (financials, employee records, contracts, trade secrets) or nonsensitive (sales brochures, marketing materials)? Most importantly, what security measures do you have in place to protect this data? In the event of a breach, what contingency plans do you have in place for business continuity and disaster recovery so that your company continues to function? Finally, are there plans in place to remediate the breach as quickly as possible and to notify customers and other affected parties?
  3. Ask for Help: Even if you've made a strong commitment to security, your responsibilities as a business owner or entrepreneur may keep you from devoting enough time to the task. That's especially true if you're managing the business's technology while running the business. If you have tech professionals on staff, encourage them to stay current with training and industry certifications. Certified tech pros are better equipped to spot problems before they happen and to stop breaches and intrusions quickly if they do happen. If you don't have IT personnel on staff, consider partnering with a technology company. There are many options available for pay-as-you-go technology services, and many reasons (reduced cost, predictable pricing, peace of mind) why businesses, small and large, choose to turn over some or all of their technology functions to a partner.

The tech industry is doing everything it can to provide products and services to combat cyberthreats as they emerge. But the best security technology products and the most comprehensive policies and processes will only work if companies are willing to use these tools and enforce the best practices to reduce their cybersecurity risk.

Related Content:

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.