Cybersecurity: Are You Doing Enough?
You’ve seen the headlines: cybersecurity breach at big-name company, data of millions of users stolen. But what doesn’t often make the front page is that cybercriminals are increasingly targeting smaller organizations.
According to Verizon’s 2018 Data Breach Investigations Report (DBIR), 58% of small businesses have experienced a cyber attack. As Symantec reveals in its 2019 Internet Security Threat Report, employees at smaller companies are more likely to have digital threats land in their email inbox—including spam, phishing and malware—than workers at large organizations.
These alarming cybersecurity trends aren’t lost on small and midsize business (SMB) owners. The AppRiver Cyberthreat Index for Business Survey, based on data collected in January 2019, found that 58% of SMB executives fear a major data breach more than a traditional disaster, such as a flood, fire or physical office break-in.
This isn’t surprising considering the fallout from a cyber attack can be devastating. In addition to the financial impact, companies stand to lose customer trust, which can be irrecoverable.
What are cybersecurity best practices that every business can follow? What do SMBs, in particular, need to know to stay secure? I chatted with Rob Tate, Senior Application Security Manager at 8x8, to get his take on top cybersecurity threats facing SMBs and what every company should do to protect itself.
Michelle Fitzsimmons: What makes SMBs vulnerable to cyber attacks?
Rob Tate: When you look at breaches by the number of incidents, you see that most happen as a result of having a website. In addition to vulnerabilities in the web application itself, businesses have plenty of security holes in their server configurations and other resources that are tied to their domain name. If an attacker wants to go after example.com, they will also look for mail.example.com or other subdomains, which are sometimes forgotten and unpatched. For SMBs, it’s usually less of an issue of unknown servers and more of an issue of not spending the resources to test and secure the services they offer online.
Michelle: Is there an industry or sector that is especially vulnerable?
Rob: There are different reasons why different businesses are targeted. Unlike large corporations, which are often targeted for espionage, political reasons (“hacktivism”) and financial reasons, SMBs are usually targeted for purely financial reasons. Customer data—such as health information, financial information or even usernames—can be sold for a tidy profit. The truth is that every organization is vulnerable in some way. Every business should perform a risk assessment to understand what they need to defend against in order to reduce their risk as much as possible.
Michelle: Cyber attacks cost SMBs an average of $2.235 million in 2017, according to the Ponemon Institute. What are other visible costs and some hidden costs that SMBs can experience if they are hacked?
Rob: In many cases, security events at SMBs come as a shock. Teams are not prepared with solid incident response plans, so right away there are high costs to hire a consultant to help with forensics to see what happened and how bad the attack was. Then SMBs often need help to work through legal issues, notify customers, work with law enforcement and take appropriate actions to close remaining vulnerabilities. If the business operates within a highly regulated space, like financial transactions or health care information, the company may also need to consider the cost of lost business due to losing compliance or certification.
Michelle: Wow, those are a lot for any business to absorb.
Rob: For large companies, the fines and penalties for lax security after an event are easier to pay. Their main concern is the loss of customer trust. For SMBs the reputation damage is also critical, but the fines and penalties can be quite high relative to the size of the business. Every business should try to operate with an understanding of their legal and financial risks. Security risks should factor in as potential high-impact events that can change the course of the business.
Michelle: Is cybersecurity a high enough priority for most SMBs? If not, should it be?
Rob: This is a great question and a very hard one to answer for all businesses. Nearly all SMBs don’t do enough to understand their specific risk to make appropriate decisions on how to protect their business. In some cases, an SMB might have a high appetite for risk, and the resources might be better spent on kickstarting a huge growth spurt. But without accurately weighing the risk, most SMBs are focusing less on security than they should.
Michelle: Alright, so we’ve discussed the threat that cyber attacks pose to SMBs. What are some cybersecurity tips that SMBs can follow?
Rob: First, I would do a risk analysis to understand where to focus security efforts. Then, based on the results, most SMBs should focus on three main areas:
- Internet Security: Understand what can be reached from the internet and lock it down. Solutions like firewalls help you close unneeded ports and monitor traffic, but don’t neglect your application security. For that, the best place to start is the Open Web Application Security Project (OWASP), which periodically publishes a list of the top 10 weaknesses in web applications. Then consider dynamic and static analysis testing for your web applications and mobile applications. Remember that your applications probably have the permissions needed to retrieve and modify most of your company’s most critical data, so a successful attack on your applications can be a goldmine for an attacker.
- Employee Training: Train and retrain your employees on phishing attack identification, password security and physical office security practices like USB safety and not letting strangers follow them through security doors. Monitor for these kinds of attacks and weaknesses, and even perform your own test attacks to see who clicks the evil link in a phishing email.
- Network/Endpoint Security: This is the classic view of information security, with a strong perimeter and anti-malware on each system in your network. While today’s businesses are highly connected and can seldom rely on a perimeter anymore, you cannot ignore the benefits of turning away thousands of inquisitive internet probes. Malware takes many forms these days, so make sure your solution is complete and updated regularly. One infected laptop can have a destructive effect on your entire network.
Michelle: Great tips, Rob. Thanks for your time.
Protect Your Customers and Your Business
At 8x8, we take protecting customer data as seriously as you do. That’s why we maintain data security certifications—including HIPAA, FISMA and ISO 27001—that meet or exceed the requirements of government and industry agencies around the world. To learn more about 8x8’s security and compliance standards, visit this webpage.