A recent survey completed on behalf of The Hartford shows that small business in general still doesn't do much in terms of information security and privacy. There is still a "It won't happen to us." mentality in the small business community. This is despite evidence from sources such as the Verizon Data Breach Report that shows small business are increasingly being targeted in cyberspace.
Here are three reasons why small business are often targeted.
They Are Easy Targets - With minimal security in place breaking in is easy. Most crime is about opportunity. If you make that opportunity low risk and not difficult, you've written an open invitation to be hacked. Regardless of if you think you have anything of value. I guarantee you do have something of value. The simple processing power of your computers is of value to a botnet.
Little Chance of Being Caught - Without proper security in place there can be little to monitor and evaluate if a breach has occurred. Look at it this way. A barn in the country with no telephone lines, no lights or electricity for an alarm system would be a low risk target for those worried about being caught. If attackers know you're not monitoring for suspicious activity they become very interested. And if they are successful but nothing changes, they'll be back. Over and over and over and over again.
You Have What They Want - Sensitive customer information such as names, ages, birthdates, social security numbers, account numbers, credit card numbers, medial histories are typical fodder for data thieves. But wait, there's more. Private company information such as salaries, customer lists, intellectual property, R&D documents and source code are just as popular. Even if you have none of this, hackers still need one thing you do have. Computers. They need your processing power and internet bandwidth to sustain their hacker networks. They can take control of your systems and use them whenever they want.
What should small business do then? The first is to implement basic security practices. Talk to your IT providers, use free government resources, have a conversation with a security consultant, listen to a webinar. Taking the first step is key. Knowledge is power. You may find that reducing your risk to a more acceptable level is a lot less expensive that you think. Being unprepared for and unable to thwart a cyber attack could cost you your business. Doesn't that justify at least an hour of your time ?
It's official. We are at war again. Cyber war. On Friday the NY Times broke the story that Presidents Bush and Obama developed and unleashed the Stuxnet worm to cripple the Iranian nuclear facilities. This is the first time in US history that the government has publicly accepted responsibility for a cyber-attack. This is a game changer. Much like the A-bomb use of World War II, it signals a new frontier in combat. A new arms race if you will.
Should the US utilize any and all efforts to protect our citizens, our national interests, and our economic vitality? Absolutely. Are offensive or preemptive attacks a necessary military strategy? Yes. However we have opened a door that cannot be closed.
In traditional warfare, there is huge cost in the development and deployment of weapons and the personnel to use them. The US has been able to use our robust economy (comparative to the rest of the world) to crush most any opposition. They simply could not design, manufacture and transport enough weapons to keep pace with US.
Not anymore. Cyber war is unlike anything we've ever faced. The weapons are cheap desktops and laptops, some rented server and storage space and a broadband internet connection. One could launch a crippling attack with "weapon" costs clearly under $5,000. What country, terror organization or crime syndicate can't scrape together $5,000 for computers? We are at somewhat of a disadvantage when a war is fought with weapons that are cheap.
We also have a lot more in this game than many of our enemies. Who in the world has more critical infrastructure to protect than us? Who has more to lose from corporate espionage than US companies? Who has more to lose from a crippled economy than US investors? It's easy to fight in a war when your side has very little to lose.
The face of information security has changed forever. There is no organization that is safe. Every business, small and large, every non-profit organization, every social media site, everything is now a target. If corporate executives thought information security was costly before, they haven't seen anything yet. The vulnerabilities and threats are increasing exponentially which means risk is increasing as well. The question used to be can we afford to improve information security practices? The question will become can we afford not to?
I firmly believe in our ability to fight this war and be successful. The difference is there will be no end to this war. The president has said he may use a physical response to a cyber-attack. Only time will tell if this would truly be carried out. Only history will tell if it would be prudent.
In my role as a business owner and information security consultant I talk to a lot of people. Some of these people are business owners or leaders like me. Others are security or IT professionals. There is one common theme that I see frequently. Outside of the Fortune 500 circle (and even inside it at times) there seems to be a lack of clarity on IT risk management in the company.
From my CEO peers I hear "I can't believe (fill in manager name here) made that decision. Didn't (he/she) understand the risk and what was at stake?" What I hear from this comment is that there may be a communication issue if operational management is making business decisions that "shock" the CEO. Perhaps the manager isn't fully aware of the risk that is seen by the CEO. My question becomes why? A good risk management process works to identify, communicate and mitigate risk within an organization. CEOs who are "shocked" by risky decisions should really evaluate their risk management programs to make sure the people they entrust daily decision making to have the proper information to make good decisions.
On the flip side I hear my IT and security peers say things like "My CEO read my report, couldn't see the risk and chose to ignore my recommendation." What I hear in this is that the individual failed to make a compelling case as to why the risk was so great that it shouldn't be ignored. The CEO read the report, considered the risk and made a decision. While the decision wasn't what the individual had hoped for, it wasn't ignored. The recommendation was considered but the CEO chose not to follow it.
What this tells me is there is a disconnect between business leaders and their operational management or IT and security management. When the two groups aren't on the same page from a risk perspective, bad things happen. CEOs must communicate what they are worried about to their teams if they expect those teams to help them manage risk. And operational teams must find ways to explain risks they discover in terms their CEO will understand and appreciate. Until both teams are working together to identify, communicate and mitigate risk, the bad guys will continue to have big victories.