[BreachExchange] Lax on security, many SMBs ripe for the picking by cyber criminals
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Oct 25 20:32:54 EDT 2016
http://thirdcertainty.com/guest-essays/lax-on-security-
many-smbs-ripe-for-the-picking-by-cyber-criminals/
Enterprises are cyber crime targets, and, as a result, big-company IT is
always “looking over their shoulder.” However, hacking is moving down
market, and small- and medium-size businesses (SMBs) are now targets as
well.
The ramifications are serious. For example, if an accountant’s unencrypted
laptop were lost or stolen, tax returns, Social Security numbers and
private information could be compromised, with disastrous consequences.
Because many small firms don’t understand how to tackle security, cyber
criminals exploit their lack of sophistication. Cost and complexity are
barriers, and risk is magnified because even one security incident can kill
an organization.
So how can SMBs answer this threat? A starting point is understanding
encryption—a foundational element of cybersecurity. While sophisticated in
use, encryption is a simple concept. As kids, we played with cryptograms:
Every letter in the alphabet was exchanged for another, requiring a key to
determine what was written. Computer encryption is essentially the same,
but with a more complicated key structure containing binary digits that
make the information useless without the correct key.
To get a better understanding of areas of risk, an SMB should conduct a
security assessment. Importantly, health care and finance companies need to
understand requirements imposed by the Health Insurance Portability and
Accountability Act (HIPAA) and the Sarbanes-Oxley (SOX) Act to meet
industrywide and government requirements for data management, including
storage, archiving, encryption and retrieval.
SMBs also must understand where sensitive data lies and how it is protected
in the process of doing business. This means taking a holistic view of
technology, creating an encryption strategy for all data—whether stored on
a server or on “endpoints” like office computers, laptops, mobile devices
or USB drives.
The Bring Your Own Device (BYOD) trend must be addressed by the assessment
and eventual security plan. The strategy also must account for security of
data in transit, including providing for the use of firewalls and virtual
private networks (VPNs).
As do enterprises, SMBs must develop plans that mandate multifactor
authentication for access to critical systems and data. Additionally, human
factors should be addressed. Training is critical, and personnel must be
taught to check and verify before providing access to data. The risk from
human error is all too real.
SMBs can execute security assessments that lead to a robust and compliant
security plan. Once an assessment is complete, a short list of solutions
providers that meet both technological and business needs can be easily
created, giving SMBs a faster path to security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161025/d04a7f56/attachment.html>
More information about the BreachExchange
mailing list