[BreachExchange] Realistic Cybersecurity for Small- and Mid-Sized Enterprises

Inga Goddijn inga at riskbasedsecurity.com
Tue Oct 17 15:44:46 EDT 2017 

http://www.brinknews.com/realistic-cybersecurity-for-small-and-mid-sized-enterprises/

In June of this year, a data analytics firm working for the Republican
National Committee left databases of 198 million U.S. citizen voter files
exposed to the Internet without security, making the RNC susceptible to
theft by cyber criminals for 10 to 14 days. Following the incident, the RNC
suspended its relationship with the third-party firm.

Reading the headlines, it’s no surprise that cyber threats are on the
increase and attacks are becoming increasingly sophisticated. While a
breach may be a setback for a multinational, a cyberattack could be
devastating for small- and mid-sized enterprises. The loss of critical
business information, such as coveted trade secrets, or exposure of
confidential customer information, like in the RNC breach, could easily put
a small company out of business.

For many SMEs, there isn’t a sense of urgency about the threat. Many
executives believe that attackers are more interested in targeting larger
multinationals, rich with bounties of personally identifiable information
and higher-value corporate data, such as innovative research and trade
secrets. However, a recent study
<https://www.juniperresearch.com/document-library/white-papers/cybercrime-the-internet-of-threats-2017>
suggests that 61 percent of 2017 data breach victims (thus far) have been
businesses with fewer than 1,000 employees.

Regardless of size, every company faces similar threats, and SMEs may
actually be prime targets for a variety of reasons. A small retail company
may be targeted due to the credit card data it possesses. Or, a small
company that is part of a larger value chain can be viewed as easier prey
to get into the backdoor of a multinational—as was the case of a major
retailer
<https://www.wsj.com/articles/target-breach-began-with-contractor8217s-electronic-billing-link-1391731112>
in which attackers entered the network via a heating vendor’s credentials
to an electronic billing link. Smaller companies may also be hit with a
malicious software—malware—attack and have their systems turned into
“zombie computers,” which can be used in larger attacks. Ransomware
attackers also target smaller organizations, many of which will pay the
ransom due to not having established protocols for data backups.

The risks are high, yet SMEs still fall short when it comes to
cybersecurity. The 2016 State of SMB Cybersecurity
<https://www.ponemon.org/blog/smbs-are-vulnerable-to-cyber-attacks> study
suggests that only 14 percent of small businesses rate their ability to
mitigate cyber risks as highly effective. Why not be more proactive? For
many SMEs, the costs can edge out to other priorities. Others find leading
guidance—such as the ISO 27001
<https://www.iso.org/isoiec-27001-information-security.html> information
security management system or the Cybersecurity Framework
<https://www.nist.gov/cyberframework> issued by the National Institute of
Standards and Technology—is too technical or daunting to implement.

Small- and mid-sized enterprises must address ‘people, processes and
technology’ for effective cybersecurity.

Many multinationals recognize the importance of robust cybersecurity among
companies in their value chains. The Cyber Readiness Institute
<https://www.cyberreadinessinstitute.org/> was recently launched with a
specific focus on “developing cyber risk management content and tools to
help small and medium-sized businesses, in order to secure global value
chains.”

Ultimately, however, it is incumbent on small- and mid-sized enterprises to
address the “people, processes and technology” required for effective
cybersecurity.

*People:* As many reports
<https://www-01.ibm.com/marketing/iwm/dre/signup?source=ibm-WW_Security_Services&S_PKG=ov47123&S_TACT=000000NJ&&S_OFF_CD=10000254>
suggest, insiders represent the greatest threat for sparking cyber
breaches. It’s not always intentional—many are tricked into downloading
malware by clicking on a link in an email; in other cases, the employee may
be using weak passwords or the same ones across many systems. Here are some
ways to improve cybersecurity among insiders:

   - Train employees, contractors and others on cyber threats and
   communicate about the role they play in keeping the network secure. All
   should be vigilant in ensuring that the links they click on in emails and
   on websites are legitimate, employ strong passwords, and avoid public Wi-Fi
   networks. Pop-up warnings can also be used to provide real-time messages to
   users when they engage in computer or network behavior that raises risks.
   - Understand who poses the greatest threat to confidential corporate
   assets—including senior executives, contractors, vendors and others—and
   ensure there are processes in place to address potential security risks
   (e.g., access control, monitoring of large data downloads, etc.).

*Processes:* Many companies have policies in place, yet they aren’t
effective unless there are business processes to support adherence.
Processes could include:

   - Develop policies and associated practices and procedures specific to
   data security.
   - Include data security in on-boarding and off-boarding of employees.
   When an employee starts at a company, they should be made aware of expected
   protocols around protecting confidential data and receive training to avoid
   common cyber “traps.” When departing, employee or contractor credentials
   should be inactivated and access denied to all systems.
   - Prepare—every company should have a business continuity and incidence
   response plan in the event that systems are compromised. This includes
   system and data backups, communication plans, and cross-functional
   collaboration.
   - Enforce strong standards for user identities and passwords.

*Technology:* The National Institute of Standards and Technology offers a
helpful cybersecurity guide
<http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf> for small-
and mid-sized enterprises, which aligns to the categories in the NIST
Framework. A few actions that all companies can take:

   - Automatically apply software security patches to help avoid missing an
   important update. Also keep security and all other software current.
   - Build up technology defenses including the use of network firewalls
   and data encryption and segregated server storage for sensitive
   information. It’s also wise to block user access to untrustworthy Internet
   sites, among other actions.
   - Use and enforce password protection and “need to know” access to
   confidential information.
   - Collect data on all devices with network access, and ensure that all
   devices with Internet connectivity are protected from viruses and malware.

Whether a company has 10 or 1,000 employees, taking proactive steps that
engage “people, processes and technology” will go a long way to building
cyber resiliency and securing SMEs—the companies that are driving the
economy and critical to global value chains.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171017/e5e389fb/attachment.html>

More information about the BreachExchange mailing list