[BreachExchange] Small businesses increasingly in cybercriminal crosshairs

[Audrey McNeil]

http://www.csoonline.com/article/3192795/data-breach/
small-businesses-increasingly-in-cybercriminal-crosshairs.html

Even if they envied the big budgets, global reach and market presence of
big corporations, small business operators could console themselves with at
least one silver lining: compared to their big brethren, small- to
medium-sized businesses (SMBs) once drew relatively little attention from
online hackers and cybercriminals. SMBs that still think that’s the case,
however, may be in for a rude awakening.

While large corporations still represent the primary targets for many
cyberattacks, SMBs are now squarely on attackers’ radar. Why? Because even
small companies often possess extremely valuable digital data, be it
intellectual property, customer and employee information – from Social
Security and credit card numbers to user IDs and passwords – or other
highly sensitive information. Even better, from a cybercriminal’s
perspective, SMB cybersecurity defenses are often porous, if nonexistent.

Given these and other factors, it’s no surprise that SMBs are seeing spikes
in cyberattacks. For example:

- Spear phishing attacks against small businesses, which constituted just
18 percent of all such attacks in 2011, grew to 43 percent of the total in
2015, according to a report from Symantec.
In a February 2016 survey conducted by CFO Magazine, 22 percent of SMB
finance executive respondents said their organizations had experienced a
cyberattack in the prior 24 months.

- The rise of online threats clearly has SMBs on edge. Ninety-four percent
of small business owners are concerned about being targeted by
cyberattacks, according to the National Small Business Association. But
beyond being worried, what can these organizations do to limit their
exposure and risk?

As is the case for any organization, regardless of its size, cyber
protections start with comprehensive assessments of the nature, value and
vulnerabilities of their core digital assets. Until you know what you
possess and what others may want, it’s impossible to develop and deploy
security controls with any degree of confidence.

In parallel with this digital asset assessment, companies need to
proactively educate their employees about cyberrisks and security best
practices. In this regard, you don’t need to know the goal of potential
attackers so much as their likely methods. Teaching your workers about
socially engineered spear-phishing ploys and safe web browsing practices
can counter a high percentage of attacks that SMBs will likely encounter.

Beyond education and awareness, of course, SMBs can tap a large universe of
security tools and services. It’s important for SMB executives to
understand that antivirus and antimalware tools represent just a small part
of cybersecurity defenses. Fortunately, even budget-constrained SMBs with
limited in-house technical expertise can select from a growing number of
subscription-based security services.

These services – sometimes characterized with the security-as-a-service
(SECaaS) label – include everything from email spam and malware filters to
data encryption services to cloud access security brokers (CASB). In a 2016
cloud computing survey of 925 organizations of all sizes, IDG Enterprise
found that 73 percent had already adopted at least one cloud-based security
service. Among respondents with 1,000 or fewer employees, 41 percent said
they would be considering cloud security management solutions in the coming
year.

So, while SMBs may no longer be able to ignore cybersecurity risks, they at
least have a new silver lining. Today, there are plenty of effective and
affordable ways for them to mount strong cyberdefenses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170428/25389d44/attachment.html>