Six Data Security Mis…sed-conceptions

Author: Jay Conn, chief operating officer, Netsurion

For small business owners, cybersecurity can present a bit of a conundrum. Most know they need it, but few understand it or have it adequately implemented. In fact, according to the National Small Business Association, many small firms know little or nothing about cybersecurity. The barrage of breach headlines like those surrounding Sony, Target, TJ Maxx, Anthem, JP Morgan and eBay, to name just a few, can strike fear into a small business owner’s heart. But despite that fear, their lack of understanding can also result in misconceptions about establishing effective cybersecurity strategies.

For multi-location businesses or franchises, the challenges are equally daunting if the corporate office does not provide support in the form of guidance, policies, technology and resources to help individual locations fight threats. One way to break through that conundrum and avoid common cybersecurity mistakes is to better understand these six security misconceptions vs. truths.

1.Only large organizations get hacked

It is true that the breaches at large organizations are the ones that grab the headlines. However, small businesses are more vulnerable to attack because criminals know that many of these companies do not have adequate preventative measures. In fact, in 2015, approximately 80 percent of all cyberattacks are targeted at small companies. This number is growing. The mitigation cost of an attack for a small business can be a cataclysmic event. While large businesses spend hundreds of millions of dollars digging out from the rubble of an attack, most have the resources to do it, and in time, the breach becomes but a dent in their otherwise intact superstructure. Small businesses aren’t so lucky. According to the National Cyber Security Alliance, some 60 percent of hacked small businesses go out of business within six months after an attack.

2. Most breaches come from the outside

Certainly, many breaches are due to external attacks, but according to a 2015 Ponemon survey, 69 percent of companies that reported serious data leaks noted that their data security breaches were the result of either malicious employee activities or non-malicious employee error. Translated, by far the biggest threat to a company’s data is from the inside, not outside. Insiders pose even bigger threats to small business that typically lack appropriate data handling security and oversight procedures. The insider threats may be due to malicious activities by disgruntled employees, employees seeking a quick buck or simply by accident; but no matter what, thwarting threats from the inside is as important as preventing outside attacks. 3. Hackers are individuals looking for kicks

The first generations of hackers were indeed in it for the ‘lulz,’ or laughs, but as technology has proliferated along with the financial rewards of hacking, so have the sophistication and capabilities of the hackers. Today, cybercrime costs companies more than $300 billion worldwide, and nearly all of it is due to someone trying to steal credit cards, identity information, trade secrets, etc.-- all items of significant monetary value to a hacker. Today’s hackers are all grown up and take the form of transnational organized crime rings, terrorist cells, hacking co-ops and groups and even nation-states and foreign intelligence services to name just a few. And they have the advantage because according to Marc Goodman in his book, Future Crimes, “The defender must build a perfect wall to keep out all intruders, while the offense need find only one chink in the armor through which to attack.” Make no mistake, these people are serious, they’re in it for the money, they’re organized and well funded, they’re highly skilled, and most importantly, they will find you. 4. A strong firewall is all that you need

We’ve learned from prior breach events that hackers use many different attack vectors to exploit a business and steal valuable data. It stands to reason then, that there’s not a singular, silver bullet security strategy that will effectively defend a business against all of them. A more accurate truth: security must be layered, and a properly managed firewall is one component of a strategy that includes: data encryption, proper network segmentation, passwords and access controls, software updates and anti-virus malware software, among others. Along with protecting incoming traffic and preventing access by malicious actors, it’s critically important to selectively limit outbound Internet traffic. Many recent breaches involved malicious software that, once installed on the network, allows the exfiltration of sensitive data via the Internet. A strong line of defense is making sure data doesn’t leave the network without the network admin’s knowledge, and data that does go out goes only to verified, safe Internet addresses. The same firewall that’s configured to monitor incoming traffic can be used to monitor outgoing traffic as well. 5. Anti-virus and anti-malware software are ‘fix it and forget it’ tools that, once installed, make a business safe from cyberthreats.

The reality: A 2015 GCN article citing a Lastline Labs study on the effectiveness of antivirus scanners says, “Much of the newly introduced malware went undetected by nearly half of the antivirus vendors. After two months, one third of the antivirus scanners still failed to detect many of the malware samples. The malware dubbed ‘least likely to be detected’ went undetected by the majority of antivirus scanners for months or was never detected at all.” Essentially, modern malware and virus technologies are undetectable until it’s too late, so relying solely on anti-virus and anti-malware software is, in a word, ineffective.

Read more: Serious Business: Cyber Security and Brand Survival

6. Small businesses must staff expensive IT professionals to properly defend against cyberthreats.

Nobody said keeping up with technology is easy or cheap, and the more pieces you add, the more requirements you put on your network management. Fortunately, this is indeed a misconception. Today, outsourcing data and network security is quite a reasonable and cost-effective solution for small businesses that don’t want to, or simply can’t, manage security themselves. The rapid pace of technological development has given rise to a new breed of outsourced solutions providers. Current solution providers pride themselves on minimally invasive solutions, rapid response times, state-of-the-art technology and cost effective delivery. Everything from software to help automate your business to hardware to help manage and secure your network can be sourced from third-party solutions providers who specialize in one or more aspects of your technology, so you don't have to. The economies of scale, expertise and remote nature of delivery can make using these providers’ solutions a much more effective and economical approach than trying to go it alone.

To sum it up, a cybersecurity posture that is supported by the business owner does not have to be instituted by a dedicated staff or department. In fact, without an IT staff, there’s less chance to develop a false sense of security and more of a need for each small business employee to understand and assume responsibility for protecting sensitive data. Companies that specialize in providing network security to small businesses are available and good at what they do and do so at a price point that works for small businesses.

In a small business environment, combating cybercrime might often feel like fighting the unbeatable foe. Hackers today are well-funded, organized criminals with vast computer labs and unlimited time to research and develop new methods and tools for attack. Businesses interested in keeping networks and data secure should be careful not to fall victim to common misconceptions and focus on simple, robust security measures that can effectively mitigate the growing problem that hackers represent. Doing so is as much of a business imperative as turning a profit.

Jay Conn serves as chief operating officer at Netsurion, a provider of data security and computer network management services for multi-location businesses. Jay is an expert on start-up and SMB technology operations, having served as an independent consultant and working in operations himself for two law firms. He has also held executive positions at Alteva, Verid and Equitrac Corporation.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list. 

Get newsletters, updates, events and more right here

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurityOpinionsdata securitysonyCSO AustraliacybercrimePonemon surveyTargetcyberattacksNetsurionLastline LabscyberthreatsTJ Maxx

More about CSOeBayindeedJP MorganLastlineMorganSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jay Conn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place