Small and Medium sized Businesses (SMB) seem to be in the crosshairs of many different security focused hunters- the number of attacks that target businesses with less than 250 employees has been growing over the past few years, and attackers aren’t the only ones to zero in on this demographic. Following attackers come vendors pitching solutions, and finally regulators, lawmakers, and big business to mandate compliance items.
The heading isn’t referring to the retail superstore; I’m talking about small tech shops, medical practices, and mom-and-pop shops with software and hardware that lets them conduct business. Most of these small businesses probably have a small, and probably overloaded, IT team at best- if they have one at all. Keeping business running and money flowing is priority number one, while security may be a roadmap item, an afterthought, or an oversight. Cost lowering solutions, such as mobile BYOD, are attractive as they allow productivity savings but may actually increase security risk. These targets are ripe for the picking for malware purveyors, spam tricksters, and social engineering swindlers. Here are a few scenarios:
- Your staff may not be savvy enough to anticipate an attack or assess the risk until it’s too late
- Your staff may not be knowledgeable to spot, detect, or deter an attack
- Your staff may be at the mercy of a vendor solution that they don’t understand or are not privy to its inner workings
…All leading to an unfortunate niche profit center for the baddies
Consumers are getting more in tune with security and privacy after being inundated with exposure to the issue, and are reporting violations at an increasing rate. Regulators and lawmakers are taking notice and attempting to add their oversight to the problem, while vendors see the trend and try to “add value” by swooping in with the promise of easily brushing away complex and confusing issues. There is money to be made, but unfortunately it seems to be made by everyone except the business itself! Sometimes regulatory compliance is an “absolute must” to continue doing business, and is planned and budgeted into the costs of doing business. More and more, businesses are stepping back and looking at it much like insurance for an event that arguably may never happen, and doing what they can with what they have and opting to fall short of the letter of the law, if not the spirit of it.
Set to Stun
While this may come as a shock coming from an employee of an education company, one of the best pieces of advice I’ve heard is that user education is key (it’s why I do what I do!). If all the users, regardless of role, are increasingly aware of the issues, the risks, and the best courses of action to take, the business as a whole will assume less risk and, at the very least, be able to recognize when something is out of the ordinary, seems phishy, or has failed catastrophically. There are plenty of stories of a business that was infiltrated and attackers siphoned off data for months or years without any knowledge. Avoiding such a stigma (and the fines and reputational damage associated with it) could be as simple as detecting anomalies in the system- whether while it is up and running, or while it is being designed, implemented, and deployed. ...As one of my favorite cartoons reminded us every week- “knowing is half the battle”!
References: http://www.darkreading.com/smb/small-business-big-target/240156725 http://www.darkreading.com/smb/3-steps-for-smbs-to-tame-their-mobile-th/240157651 http://www.darkreading.com/compliance/ignoring-compliance-is-a-real-option/240157262