There has been a noticeable trend in the type of organizations being affected by malicious cyber-activity in recent times with more and more SMBs becoming primary targets for attack.
And the research is supporting this. The 2012 Verizon Data Breach Investigations Report (DBIR) highlights that the majority of the 855 data breaches analysed were perpetrated against smaller firms.
Despite this, many SMBs still feel they are too small to be targeted by cyber criminals. However, small organizations are by no means immune to security threats. The threat posed is a genuine one and by overlooking it you leave your organization open to a number of risks, including, data loss, downtime, decreased productivity and financial fallout - - And potentially becoming the next high-profile news headline.
Smaller companies are often targeted for three reasons:
- Innovative research or intellectual property (IP)
- Partner relationships giving access to a larger company (and a larger store of IP)
- Targets of opportunity due to lax security controls
Our Incident Response team recently dealt with a customer security breach which was discovered to be caused by lax controls in place between them and a supplier contracted to support an application. The investigation revealed that access had been gained to their systems through a secure connection from a trusted third party. The attacker installed a back-door to allow them to stealthily re-enter the network and attempt to setup a botnet within the client network.
Look at Users - Education is Paramount
Often the biggest security threats to organizations, particularly in small businesses, are the people on the frontline - - the staff.
The weapon of choice for the intelligent adversary at present is a spear-phishing email. This is a targeted email with highly tailored content crafted to entice the user to click a link or open an attachment. The aim is to install malware to form an access point. The user may simply have to visit a malicious website to be compromised in some way especially in light of recent 0-day vulnerabilities in Java and Internet Explorer.
With end users becoming the main conduit of infection, educating staff on the risk of these types of attacks and other malicious tactics like social engineering must become a priority. Security reminders and awareness messages to staff need to be regular and frequent - - once a year is simply not enough.
Technology is an Enabler
We often find organizations are willing to invest significant money on security technology. However, in many cases this technology has not been implemented effectively or doesn't have the necessary people and process elements in place to make the technology as effective as it could be.
In most cases small business don't have the luxury of throwing money at the problem and investing in expensive enterprise technical solutions. But many organizations that invest in these expensive technologies barely scratch the surface in terms of the value they derive from them. SMB's can receive higher value from the technical controls they do have by ensuring that effective security processes are in place to support them and that the information reported by technical controls is relevant and responses are timely. SMB's can look to gain enterprise level protection at a lower price point through the use of appliances that provide combined functionality rather than dedicated devices for each control type.
Technology should be considered as an enabler and a strong focus should be placed on the people and processes which wrap around the technology. New technology is unlikely to help if the basics of effective security practice are not in place. It's akin to hearing the fire alarm going off but not evacuating the building.
And with effective security controls and procedures in place, organizations can better protect themselves from attack, rather than attempting to mitigate damage after the fact - - which is often a magnitude more expensive to deal with.