Common small business security risks threaten your business
February 26, 2013
As professionals in the secure destruction business, we must project an image that conveys trust and expertise at all times. While we focus on the best equipment, people and processes for managing our client’s data and/or paper, how often do we think about the public relations nightmare that a data breach of our organizations would cause? Many of my fellow destruction pros think they have no cyber-risk since their clients’ data for destruction isn’t on their network. This is true. Many destruction pros think they don’t have data that’s of any value to hackers. This is patently false.
If you are in business today and have a computer, your company is a target. If you are a business that uses online banking, you are a high value target. If you are a business that sends or receives money through ACH transfers, you are the highest value target.
Every year, small businesses are attacked by cybercriminals trying to steal data or money. Many of these criminals are successful in getting in to the networks. This is because the large companies have become so well protected and monitored that, for all but the most talented of hackers, it is too challenging to successfully breach a large company and get data out before being detected and stopped.
The media may give the impression that cybercrime and hacking today are only being perpetrated on very large companies and government agencies, by super-smart hackers, using very complex methods from faraway countries. The reality is that countless organizations are victims everyday, large and small, by a hacker who downloads a free exploit from the Internet and uses it on weak security and untrained employees.
Many of these attacks start through a legitimate looking email with a malicious link embedded within it. By tricking the reader into clicking the link or downloading an attachment, a piece of software code is downloaded and executed. This malware runs wild on the host computer and may spread through local networks until every open computer is infected. These kinds of attacks are simple to defend against but do the most damage because there are so many of them. They can wipe out bank accounts through stolen credentials to online accounts. They can copy customer data such as payroll, HR and accounting information. They can prevent normal day-to-day operations of business through encrypting mission critical systems and holding them hostage until ransom is paid for the keys to decrypt the data.
There are also Denial of Service (DoS) attacks or Distributed Denial of Service (DDoS) attacks. These involve sending information from one or more computers to a target and overwhelm its ability to respond. These kinds of attacks can take down your website or even your local network, preventing customers or employees from pursuing business with your company.
Reclamere’s data breach incident response and incident response training repeatedly demonstrates that small and mid-sizes businesses have the following serious risk factors:
- Unpatched operating systems, software and firmware
- Web facing servers and devices running services that are not ever used by the business but are easy to exploit for remote access
- Running obsolete versions of software that are no longer supported with security patches by the manufacturer
- Staff using accounts with administrator privileges
- Internally hosted websites that were developed without sufficient security controls
- Untrained or poorly trained staff who fall victim to email phishing or social media exploits
The bad news is that I’m certain that every person reading this article has at least one or more of these risk factors active at this very minute. The good news is that there are free and low cost ways to solve them. But the very best news of all is this: At the NAID 2013 Annual Conference in Nashville this year, I will be teaching a seminar called “Watch Your Six: Small Business Security Awareness” so that attendees leave with the solutions to these risks and others. I have to admit that, not having a military background, I was a bit confused by the title when it was first suggested. Turns out, it’s an old military expression, especially among fighter pilots. If an adversary gets “on your six” it means he’s behind you and you’re toast in a couple of seconds. For position, 12:00 is dead ahead, and 6:00 is directly behind you. The title is very appropriate because I’ve got your six. I’ve got solutions for your cyber-risks so you don’t get toasted by a cybercriminal. See you in Nashville!