Smaller Is Not Safer

Just because most of the highly publicized information security breaches and cyber-attacks over the past couple of years involve well-known companies, national governments and massive amounts of data, small and mid-sized businesses should not think that they can just fly under the radar. Cybercriminals and others will not just leave them alone because they are relatively small. In fact, according to Verizon’s 2012 Data Breach Investigations Report, SMBs have become a prime target for cyber criminals and the reason is pretty simple. SMBs have more financial resources than individuals, but fewer resources to protect themselves than large enterprises. In some ways, SMBs represent a low-risk, relatively high return target for the bad guys.

Image contributed by savit keawtavee

Unfortunately, the bad guys are right. Enterprise information security is complicated and SMBs generally cannot afford to support dedicated security experts to safeguard their systems. Moreover, the competition for scarce IT investment dollars is great, budgets are limited, and every purchasing decision has to be carefully weighed and evaluated.

But that does not mean SMBs are completely defenseless. The first step is to assess the risk in your systems. According to the Verizon report, SMBs face several well-known vulnerabilities. The most straightforward to address are those involved with staff and staff training. Password policies must be established and vigorously enforced. Employees have to be trained to detect suspicious activities and recognize threats and attacks. Finally, the number of employees with administrative access to computer systems should be limited to those who truly need that access. This is low-hanging fruit for security but the stakes are high. According to a study by Symantec and the Ponemon Institute called 2011 Cost of Data Breach Study: United States, negligent insiders are the number one cause of data breaches.

Other points of vulnerability are more technical. As much as possible, companies have to work to guard themselves against software vulnerabilities and ensure that their patch management policy is appropriate. The network’s perimeter must be protected against intrusion, and intrusions must be detected expeditiously (although even for large organizations that is often easier said than done.) Finally, companies that rely on the Internet need a strategy to mitigate denial-of-service attacks.

A careful risk assessment can lead to an achievable strategy to improve your enterprise information security. The key is to develop a plan that your organization can actually implement and maintain. The effort will be worth the time and cost. According to the Symantec report, average data breaches cost $194 per record compromised. If you do the math, you’ll see the need to proceed accordingly.