In 2017, Poneman Institute published its second annual study on the “State of Cyber-security in Small & Medium Sized Businesses” research report. In this post we will highlight several of the top trends reported and other related findings. Then we will cover some simple and cost effective measures than can limit the severity of cyber-attacks against your business.
1. The most prevalent attacks against small businesses are phishing/social engineering and web based attacks.
We all know it’s prudent and best industry practice to educate users and promote awareness of cyber threats in your environment. However, if we’re honest about it, cyber awareness is not the most stimulating material for employees to absorb and subsequently become guru’s on how thwart cyber-attacks. The truth of the matter is, it may not be the best for morale but is there really a strong business case for accessing social media sites in the workplace? Moreover, often times, organizations focus very heavily on technical solutions for an administrative problem. Put another way, the introduction of consequences is another option to deal with employees lack in interest in protecting company assets and data. Yes, mistakes happen and attacks are becoming more targeted and sophisticated, though, a good mix of education, pragmatism and accountability could be more effective.
2. Businesses are losing more records in a data breach.
According to Poneman, companies represented in their research lost an average of more than 9,350 records as a result of data breaches. Respondents indicated the top root cause of data breaches were negligent employees or contractors, followed by third party mistakes. This is an area where establishing strong information security policies, procedures and guidelines on the handling and protecting of sensitive company data and personal identifiable information is vital to an organization. Instituting information security policy is best business practice and it’s an organization primary means to convey management’s formal declaration of security goals and objectives.
3. Password policies are still not strictly enforced. If a company has a password policy (43 percent of respondents), 68 percent of respondents say they do not strictly enforce it or are unsure. However, more SMBs are requiring employees to use password or biometric to secure access to mobile devices, an increase from 42 percent of respondents to 51 percent of respondents.
This is something that can be addresses with security policy but the policy is only as good as the folks responsible for enforcing it. Additionally, two-factor authentication, through the use of strong passwords combined with security tokens, provides the highest level of security. If security tokens is not an option then passphrases would be sufficient. Using strong authentication to protect access to accounts and ensure only those with permission can access them is strongly encouraged.
4. The rise of ransomware is affecting SMBs.
Ransomware attacks are down from 2016 but still a threat. The average ransom was $2,157 and 60 percent of respondents say their companies paid. However, if they did not pay it was because they had full backups. Backing up data is the best way ensure your organization can bounce back from a significant disruption or loss of data. This can be done either in the cloud or via separate hard drive storage. Now more than ever, as threats evolve, making electronic copies of information on a regular basis is key.
