While many small business owners take measures to provide some protection for their company data, shielding critical information from malware and cyber criminals is becoming more and more difficult. According to Symantec’s 2013 Internet Security Threat Report, the largest growth in attacks were on organizations with fewer than 250 employees, a 72% increase from 2011. As a result, in addition to experiencing increased unwanted attention from hackers, many SMBs find they are being scrutinized by security regulation auditors and security-conscious clients. This exposure can be a huge problem because many small to medium-sized businesses are surprised at finding they have been identified as “the path of least resistance” and are poorly defended. To send a message that security and privacy regulations apply to everyone and not just enterprise level organizations, the US Department of Health and Human Services Office for Civil Rights has begun making examples of some small businesses who are poorly protected. Last year they fined a small doctors office $100,000 for HIPAA security and privacy violations and lack of compliance in protecting patient data.
Capitalizing on the fact that many SMBS have fewer resources to combat threats, hackers will use small businesses as a springboard to launch attacks against a larger organization they do business with. Attackers will avail themselves of personal information, emails, and files from an individual in such a smaller company to create a message aimed at someone in a target company that contains malware.
One of the biggest innovations in targeted attacks on smaller businesses is what is known as a watering hole. A cyber criminal can compromise a website with a single line of code that can infect visitors to the site. For example, a human rights organization’s website was targeted as a watering hole that exploited a zero-day Internet Explorer flaw. Within 24 hours people in more than 500 large organizations visited the site and ran the risk of infection.
So what can SMBs do to protect themselves, their clients and their staff from these increasing threats?
1) Train your employees to be vigilant. This seems like a no brainer but studies have found that in-house employees are responsible for 40% of small business security breaches. Teach staff how to create strong passwords both both personal and business accounts and to not reuse them over and over. Have them test the strength of their passwords with Microsoft.com’s password checker.
Train staff to be suspicious of emails. Threatening emails can sometimes bypass spam blockers. Assume a cyber criminal knows something personal about their target so many phishing emails may look really familiar. When in doubt, don’t open and by all means, don’t click!
2) Install anti-virus software. A good anti-virus isn’t a silver bullet against malware as cyber attackers are constantly designing, disguising and tweaking viruses to circumvent anti-virus protection but in many cases the software can detect a large number of perpetrators, notify users of a breach if it occurs and take steps to eradicate the malware.
3) Make sure all computers are up to date on patching. All operating systems, browsers, programs, and plug-ins for programs such as Java or Adobe need to be up to date on patches.
4) Secure the Wi-Fi network in the office. Change the password regularly and be sure to change it in the event a staff member leaves the company. This should also apply to passwords used to access company data remotely.
5) Don’t store old data. Purge data that is no longer relevant on a regular basis. You may not need the information anymore but it could be valuable if it fell into the wrong hands.
6) Ask an IT provider for a security & data protection audit. Ask for an evaluation of the security and data protection programs you have in place and provide information regarding regulatory compliance requirements your company needs to meet. A good provider should be able to produce a report of any deficits found and a strategic road map to remedy the weaknesses.
For more information on solutions for running your businesses’ technology more efficiently, visit our website or contact Megan Meisner at mmeisner@launchpadonline.com or 813 920 0788 x210.