In June 2007, Pfizer Inc. announced that the identities of 17,000
current and former employees were compromised when an employee’s spouse
installed unauthorized file-sharing software on a company laptop. Names and
Social Security numbers were exposed, accessed and copied. The company offered
their current and former employees one free year of credit monitoring. Tired of
the negative press caused from data breaches, large companies have vastly
improved their data security, forcing cyber criminals to move down market.
Mike Spinney |
Lack of resources
The small to mid-sized business (SMB) is more vulnerable to cyber
attacks due to their lack of resources. While there are exceptions, generally,
the average SMB does not have the capital to hire a chief security officer to
oversee cyber security or to even buy the latest industrial strength anti-virus
software. Cyber criminals in the United States and overseas are aware of this
predicament and feel as if they can operate with impunity in the SMB
environment.
“One of the biggest mistakes a company can make is not being
prepared,” Blake McConnell, senior director of product management, SMB
security solutions, Symantec Inc., told O&P Business News.
“Now more than ever, cyber criminals are taking advantage of inadequately
protected SMBs and their unsuspecting employees by launching attacks that give
them unauthorized access to confidential information that they then use for
financial gain.”
Of the 500 companies surveyed, 275, 55%, experienced a fraud attack in the past year. Of that 275, 58% involved online banking; 87% did not fully recover assets; and 26% were not compensated at all. |
|
Source: Guardian Analytics and the Ponemon Institute © 2010 iStockphoto.com/Andrei Tchernov |
Also stacked up against the SMB, is law enforcement’s limited
number of resources to offer for cyber attacks. According to Mike Spinney,
senior privacy analyst, at the Ponemon Institute, a research organization that
focuses on information privacy and security, cyber attacks are not high on law
enforcement’s priority list.
“The FBI, for example, is not going to dedicate their resources on
cyber crime unless the event crosses a certain [monetary] threshold,”
Spinney explained. “If they are attacking a larger organization, they may
cross that threshold and it could trigger the attention of law enforcement. But
if they operate in the SMB environment, chances are they are going to grab
smaller amounts of money and fly under the radar.”
Low-budget alternatives
One of the greatest threats to information in a health care facility can
be the company’s own personnel. Breaches are commonly caused by careless
behavior among personnel, as opposed to malicious acts, which are statistically
less likely. McConnell recommends implementing a security awareness program
with training and guidelines to enable employees to carefully consider the
security implications of their online behavior.
“Require your employees to use passwords that mix letters and
numbers — not names or dictionary words — and change them
often,” McConnell said. “Educate employees not to use file sharing
programs or download free programs from the Internet.”
Spinney agrees that peer-to-peer software opens a gaping hole in the
security measures that you have in place.
“Whoever is on the other end, has unfettered access to the
information on your computer,” Spinney said.
Policies and education need to be coupled with an integrated solution to
protect information wherever it is accessed, McConnell said. SMBs should
incorporate an integrated security suite solution that will prevent virus
infection, block intruders, protect privacy and stop malicious programs. There
are high quality software security vendors that offer free security to
download. This free downloadable security does not have the strength as some
high end software, but it is better than leaving your company out there with no
protection.
Blake McConnell |
“There are companies that have tools for the sole proprietor or a
small company with a small number of employees,” Spinney said. “There
are free or low cost resources available.”
Encryption for all devices
Data encrypting vital and private data is a must for all businesses.
Today, more SMBs are becoming mobile. The information stored on a
company’s mobile device is the company’s most important asset.
“If the device is lost or the SIM card is stolen, the thief will
not be able to access the data if the proper encryption technology is loaded on
the device,” McConnell said. “In addition, mobile devices —
similar to desktops and laptops — should be password protected.”
From the experts
“Clearly, there is an aggressive criminal element out there,”
Spinney said.
There has been plenty of coverage on identity theft through the years
and there is no denying that there is a tremendous growth and pace to the
creation of malware. One of the more under-reported aspects regarding data
breaches according to McConnell is that SMB’s bank accounts are not
protected in the same way as the average consumer.
“If a cyber criminal steals a SMB’s financial information and
wipes out their bank account, they are on the hook for that money more so than
the average consumer,” McConnell said. “Banks do not reimburse all of
your losses and this could mean financial ruin for the SMB.”
A recent study conducted by the Ponemon Institute and Guardian
Analytics, illustrates McConnell’s concern. The study found that of the
500 SMBs surveyed, 55% experienced a fraud attack in the past year. Fifty-eight
percent of those incidents involved online banking. Of those companies that
experienced online fraud, 87% failed to fully recover their lost funds, while
26% were not compensated for any part of their losses.
Change the approach
There is a mindset within the SMB community that their businesses are
too small to worry about cyber criminals. This is a mindset driven by the
headline-grabbing data breaches of the big retailers or large corporations. The
only way to change this attitude is to educate and help your employees
understand what types of threats are out there and how to prevent them from
happening to your company. Train your staff to perform basic backup tasks and
test these backups periodically to ensure their safety.
“Start out with education, be aware of the things that you do that
may put your company at risk and hopefully you can change some habits,”
Spinney said. “A change in behavior could have a positive effect on
security.” — by Anthony Calabro
For more information:
Guardian Analytics. Independent study reveals banks have a new
troubled asset: their customers. Available at:
http://www.guardiananalytics.com/newsandevents/press_03092010.php.
Accessed: May 3, 2010
Initially, [I recommend small-to mid-sized businesses] set company
Internet usage policies and procedures that mandate rules and guidelines for
all employees. [Internet usage] policies should be periodically updated by the
company thereafter. Employees should stay away from Facebook, MySpace [and
other social media websites] during office hours. These websites tend to be
vulnerable programs with security and hacking issues.
— Elizabeth Carlstrom
Founder and owner of
O&P Business Solutions
The issue of small to mid-sized businesses (SMBs) being targets for cyber criminals should not be alarming. Common sense tells us that any weakness in the physical world will be exposed at some point – fault lines causing earthquakes, bad civil engineering causing traffic problems, low immune systems allowing viruses and bacteria to cause illness. We see the results of weakness all the time, yet when it is right in front of us in the business world we have a tendency to ignore it because we do not understand it. This is the case with data security. There are many easy, low or no cost solutions for personal and business applications that we should all make a priority to investigate and implement.
There is a reason the term ‘virus’ is used in the computer world – it is to remind us that computers and business are implicitly linked to our human existence. With this in mind, we need to provide the same level of diligence toward our business/data security as we would to our personal health and well being. We all pay for health insurance in the event of need. It is time to implement the same thinking about our business/data well-being.
— Paul DiMarco
Operations manager, VGM/Forbin