For small business owners, cybersecurity can present a bit of a conundrum. Most know they need it, but few understand it or have it adequately implemented. In fact, according to the National Small Business Association, many small firms know little or nothing about cybersecurity. The barrage of breach headlines like those surrounding Sony, Target, TJ Maxx, Anthem, JP Morgan and eBay, to name just a few, can strike fear into a small business owner’s heart. But despite that fear, their lack of understanding can also result in misconceptions about establishing effective cybersecurity strategies.
For multi-location businesses or franchises, the challenges are equally daunting if the corporate office does not provide support in the form of guidance, policies, technology and resources to help individual locations fight threats. One way to break through that conundrum and avoid common cybersecurity mistakes is to better understand these six security misconceptions vs. truths.
1.Only large organizations get hacked
It is true that the breaches at large organizations are the ones that grab the headlines. However, small businesses are more vulnerable to attack because criminals know that many of these companies do not have adequate preventative measures. In fact, in 2015, approximately 80 percent of all cyberattacks are targeted at small companies. This number is growing. The mitigation cost of an attack for a small business can be a cataclysmic event. While large businesses spend hundreds of millions of dollars digging out from the rubble of an attack, most have the resources to do it, and in time, the breach becomes but a dent in their otherwise intact superstructure. Small businesses aren’t so lucky. According to the National Cyber Security Alliance, some 60 percent of hacked small businesses go out of business within six months after an attack.
2. Most breaches come from the outside
Certainly, many breaches are due to external attacks, but according to a 2015 Ponemon survey, 69 percent of companies that reported serious data leaks noted that their data security breaches were the result of either malicious employee activities or non-malicious employee error. Translated, by far the biggest threat to a company’s data is from the inside, not outside. Insiders pose even bigger threats to small business that typically lack appropriate data handling security and oversight procedures. The insider threats may be due to malicious activities by disgruntled employees, employees seeking a quick buck or simply by accident; but no matter what, thwarting threats from the inside is as important as preventing outside attacks. 3. Hackers are individuals looking for kicks
The first generations of hackers were indeed in it for the ‘lulz,’ or laughs, but as technology has proliferated along with the financial rewards of hacking, so have the sophistication and capabilities of the hackers. Today, cybercrime costs companies more than $300 billion worldwide, and nearly all of it is due to someone trying to steal credit cards, identity information, trade secrets, etc.-- all items of significant monetary value to a hacker. Today’s hackers are all grown up and take the form of transnational organized crime rings, terrorist cells, hacking co-ops and groups and even nation-states and foreign intelligence services to name just a few. And they have the advantage because according to Marc Goodman in his book, Future Crimes, “The defender must build a perfect wall to keep out all intruders, while the offense need find only one chink in the armor through which to attack.” Make no mistake, these people are serious, they’re in it for the money, they’re organized and well funded, they’re highly skilled, and most importantly, they will find you. 4. A strong firewall is all that you need
We’ve learned from prior breach events that hackers use many different attack vectors to exploit a business and steal valuable data. It stands to reason then, that there’s not a singular, silver bullet security strategy that will effectively defend a business against all of them. A more accurate truth: security must be layered, and a properly managed firewall is one component of a strategy that includes: data encryption, proper network segmentation, passwords and access controls, software updates and anti-virus malware software, among others. Along with protecting incoming traffic and preventing access by malicious actors, it’s critically important to selectively limit outbound Internet traffic. Many recent breaches involved malicious software that, once installed on the network, allows the exfiltration of sensitive data via the Internet. A strong line of defense is making sure data doesn’t leave the network without the network admin’s knowledge, and data that does go out goes only to verified, safe Internet addresses. The same firewall that’s configured to monitor incoming traffic can be used to monitor outgoing traffic as well. 5. Anti-virus and anti-malware software are ‘fix it and forget it’ tools that, once installed, make a business safe from cyberthreats.
The reality: A 2015 GCN article citing a Lastline Labs study on the effectiveness of antivirus scanners says, “Much of the newly introduced malware went undetected by nearly half of the antivirus vendors. After two months, one third of the antivirus scanners still failed to detect many of the malware samples. The malware dubbed ‘least likely to be detected’ went undetected by the majority of antivirus scanners for months or was never detected at all.” Essentially, modern malware and virus technologies are undetectable until it’s too late, so relying solely on anti-virus and anti-malware software is, in a word, ineffective.
6. Small businesses must staff expensive IT professionals to properly defend against cyberthreats.
Nobody said keeping up with technology is easy or cheap, and the more pieces you add, the more requirements you put on your network management. Fortunately, this is indeed a misconception. Today, outsourcing data and network security is quite a reasonable and cost-effective solution for small businesses that don’t want to, or simply can’t, manage security themselves. The rapid pace of technological development has given rise to a new breed of outsourced solutions providers. Current solution providers pride themselves on minimally invasive solutions, rapid response times, state-of-the-art technology and cost effective delivery. Everything from software to help automate your business to hardware to help manage and secure your network can be sourced from third-party solutions providers who specialize in one or more aspects of your technology, so you don't have to. The economies of scale, expertise and remote nature of delivery can make using these providers’ solutions a much more effective and economical approach than trying to go it alone.
To sum it up, a cybersecurity posture that is supported by the business owner does not have to be instituted by a dedicated staff or department. In fact, without an IT staff, there’s less chance to develop a false sense of security and more of a need for each small business employee to understand and assume responsibility for protecting sensitive data. Companies that specialize in providing network security to small businesses are available and good at what they do and do so at a price point that works for small businesses.
In a small business environment, combating cybercrime might often feel like fighting the unbeatable foe. Hackers today are well-funded, organized criminals with vast computer labs and unlimited time to research and develop new methods and tools for attack. Businesses interested in keeping networks and data secure should be careful not to fall victim to common misconceptions and focus on simple, robust security measures that can effectively mitigate the growing problem that hackers represent. Doing so is as much of a business imperative as turning a profit.
Jay Conn serves as chief operating officer at Netsurion, a provider of data security and computer network management services for multi-location businesses. Jay is an expert on start-up and SMB technology operations, having served as an independent consultant and working in operations himself for two law firms. He has also held executive positions at Alteva, Verid and Equitrac Corporation.
Want to know more?
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here