By Greg Jensen, Senior Product Director, Oracle Security
Yahoo. Tumblr. LinkedIn. Even military organizations and political parties. It seems as if any institution, no matter how large or sophisticated, can be the target of a cyberattack.
If you think your company is safe from such tactics just because you’re small—think again. Nearly half of the cyberattacks worldwide in 2016 targeted companies with fewer than 250 employees.
Yet, despite this, SMB leaders seem to think that cybersecurity issues are mainly a problem for the big companies. An Inc. magazine study commissioned by Oracle, What's Keeping SMB Leaders Up at Night, ranked security issues near the bottom of overall concerns, with only 13.5 percent citing security as their biggest worry.
This kind of complacency can be expensive. Often, compromised information is held for ransom, released only when the SMB pays a significant price or meets specific demands that are tied to financial or political agendas. This compromised information is also used to infiltrate banking institutions, steal (and sell) customer data, hijack websites—even file for fraudulent tax refunds.
Every small to medium business needs to think about security, from protecting customer data to ensuring that employees follow proper procedures. Here are our top six tips to protect your SMB from cybersecurity threats.
The vast majority of successful security breaches happen because of human error. One of the most famous data breaches was traced back to a temporary vendor/contractor who was there to provide facility maintenance at one of the company’s retail stores. Other employee mistakes include disposing of devices without wiping the data, opening phishing e-mails, and losing laptops and mobile phones.
SMBs can reduce the number of these incidents with better training throughout the employee lifecycle—from onboarding of new employees, to ongoing courses for employees at all levels—even (or perhaps especially) the C-suite.
With ransomware on the rise, the best defense is to constantly back up data. That way, even if organizational data is stolen, deleted or encrypted by attackers, there is a means to restore it.
The smartest way to do this is to automate the data backup process, storing copies of documents, databases, spreadsheets, HR files, and other key files and data either in the cloud or offsite.
“Need to know” sounds like a term for clandestine spy operations—but in fact, it simply means that information should only be accessed by or shared with those who need it. Marketing and sales teams need access to customer data so that they can properly segment their campaigns; customers need access to their account- specific information; partners need to see transaction-related data.
Access control and identity management solutions can be used to automate this process, giving employees access to the specific systems that they need for their jobs, while streamlining the process of managing today’s complex hybrid cloud environments.
In addition, organizations need the ability to discover and monitor instances of "rogue IT" where employees utilize any application or service they feel they need on their computers or devices—without approval. Cloud access security brokers can be used to determine how employees are using company resources and data, and then apply reasonable policies that allow your SMB to achieve security and compliance goals.
A chain is only as strong as its weakest link, so SMBs must work to apply security technologies, policies and procedures consistently. This requires regular base-lining and assessments of on-premises and cloud environments, then ensuring that policies and procedures are consistently applied and maintained over time. Configuration and compliance monitoring enables this, and provide assurances on the company's state of readiness.
In addition to compliance, SMBs need to monitor and orchestrate real-time threats and remediate. With the influx of events that need to be processed and analyzed, too many attacks are missed. And for SMBs with limited IT resources, there are too many incidents to react to. Today’s new generation of security monitoring utilizes machine learning and advanced analytics to automatically discover hidden attacks, and provide automated remediation mechanisms that are easy for a small business to manage.
There is a segment of society that makes a living from people who use weak passwords like the word "password" or numbers like 123456. Make it a mandate for all employees: they must use unique, complex passwords that include uppercase and lowercase letters, numbers, and symbols, and they must change them every 30-45 days.
Enforcing this can be done either directly through most individual applications, or centrally managed by your identity management provider, to greatly simplify and reduce the effort for your SMB.
It’s nearly impossible to be productive today without mobile devices. Sales people rely on them when they meet with customers; more employees work from home offices; and SMB executives are on call 24/7.
The down side is that mobile devices often carry confidential company data—and can be used to access corporate networks. They need the same protections as any desktop or laptop computer.
What many companies are coming to realize is that identity is at the center of security today. The old model was to secure a mobile device via encryption software or anti-malware. The challenge is, a lost device means lost data. A compromised employee means lost data. Security must be based around the identity itself.
SMBs are now shifting to a model of retaining data on cloud-based resources or applications, accessed only through single sign-on (SSO) credentials that can be revoked or modified at any time. Access to data—and the data itself—is subject to the entitlements granted by the identity management provider. This means your data is now centrally controlled, not at the mercy of device status.
Employees may find these precautions to be a little annoying. But they are minor inconveniences when compared to the potentially expensive costs—and loss of customer confidence—that comes with a data breach.
Fortunately, security measures that were once only available to large corporations are now within reach for nearly any SMB—thanks to the cloud.
When you put your data in the cloud, you put your faith in the cloud provider’s ability to secure your financial records, customer information, personnel records and more. It’s important to recognize that not all cloud providers are created equal. Among the questions to ask:
This is one business decision that should not be made on the cheap—because when it comes to security, the cost of data held for ransom, broken trust, and lost revenue can far outweigh the monthly investment in a secure cloud.