(Post 4 of the Small Business Threats blog series)
Data breaches in government and corporate industry seem to be happening more frequently. Just in the past few years major players such as the Securities and Exchange Commission (SEC), Equifax, the U.S. Office of Personnel Management, Target, Home Depot, and even recently Deloitte, a major cybersecurity contractor serving large companies and governments, have all been victims of large data breaches. These are just a sampling of the most widely publicized incidents. There have been many more that never made the front pages of national media.
It is easy to read the news about major data breaches involving large, powerful organizations and think that malicious actors only target the big guys. Nothing could be further from the truth. Small organizations are easy targets, often because they often don’t have the resources to do much to protect themselves. It is true that most small business normally don’t have to worry about corporate espionage, state-sponsored hacking, or private groups of ideologically-driven hackers called “hactivists”. They are frequently targets of malicious actors who simply use hacking, malware, and social engineering to commit fraud and who are a persistent and very real threat to individuals and small organizations.
All of these big breaches have several things in common and offer some valuable takeaways that small organizations can learn from:
Breaches can happen to anybody
- All of the above organizations have invested significantly in the security of their networks, but were breached anyway.
- Organizations having little to no functional security mechanisms in place can be devastated by security incidents.
- Everything can be valuable to a hacker. This includes payment card information, details on business partners, customers’ private information, anything you find valuable and might pay a ransom to keep, or just embarrassing information that could be used against you.
Even with big teams of cyber professionals, breaches are often not immediately discovered
- If you aren’t monitoring your networks and looking for breaches, you’ll likely never know they happened.
- Hackers most often do not operate like terrorists. In other words, they are not out for fame. They want to steal and hopefully be able to return to steal again and so they prefer to remain undetected for as long as possible. Anonymity provided by the internet is one of their greatest assets and they guard it closely.
- Many “hacks” persist for months and even years. Several published hackers admit to having used their favorite compromised systems for extended periods of time because they were reliable and kept producing something of value, whether that was information, storage, or even a smoke screen. Kevin Mitnick talks about this on several occasions, with several compromises. Why would a hacker spend energy cracking one system after another if the first one is still available to him and still has value?
Breaches are very expensive
- Large corporations can often lose 20%,30%, or more of their value due to a breach.
- The cost of recovery, penalties, fines, and mandatory consumer protection are substantial.
- Large companies with deep pockets and enough money to ride-out the storm can eventually recover from these events, usually.
- 60% of small businesses are out of business within 6 months following a major incident.
Large data breaches often hurt an organization’s reputation pretty badly
- Big businesses have PR funding that can spin a bad thing into a less bad thing and eventually people will forget.
- After an incident, big business will lose a percentage of their customer-base but because they are often staples of industry, they are able to maintain enough revenue to recover.
- Small businesses reputations are critical. They are rarely the only option for a product or service in their area and so a damaged reputation can be detrimental. Customers will simply find another small business to spend money with or go to a large company because… well, they got successful for a reason right?
Most breaches are caused by simple human error
- Evaluation of an incident after-the-fact often leads to simple missteps that lead to a compromise. Many times simple human error, like a laptop being left in a car overnight and then stolen or an employee blindly granting access to someone who shouldn’t have it are the causes of breaches.
- Usually relatively simple inexpensive measures, like disk encryption, user authentication, or remote wipe features could have prevented the breaches all-together. Sometimes, the offending employee should never have had access to the data or should never have taken it out of the workplace to begin with.
- Often times times systems are compromised by malware introduced to a system (see wannacry) by the organization’s employees irresponsibly downloading files from the Internet or email.
- Giving your employees the keys to the kingdom is dangerous. Allowing them the anonymity to make executive decisions about what they will do with those keys and how well they will (or won’t) protect them is out-right asking for an incident.
- Simple training, provided regularly, backed up by policy, and stringently enforced by management, and understood by employees could have been enough to stop many many major incidents, had the individuals remembered their training and done what was expected of them.
Small businesses are uniquely vulnerable
Most of what we know about the frequency of security incidents is based on what is reported to researchers and incident response organizations. If an organization that is well equipped to detect incidents fails to recognize one for months or years, how is an organization who is not equipped to identify them at all expected to do so? Most cybersecurity professionals might agree that there is a tremendous number of unknown and therefore unreported breaches every year.
Small businesses and individuals who do not have the budgets and resources available to governments and large corporations are particularly vulnerable to security incidents such as data breaches and devastating malware. Many of them put little effort into planning and managing the security of the information they keep and the systems they depend on for daily tasks. Even more dangerous is that many have little understanding of the most basic security concepts needed to protect information and IT.