Cyber-attacks are at an all-time high, and no one is safe. Instances of cyber-crime such as data thefts, cyber-espionage and DDoS attacks are now daily occurrences. Considering the spate of high profile attacks over the last two years which has included corporate giants such as Sony and government big-wigs such as NASA, it is only a matter of time before a determined hacker can breach into any network. The U.S. Cyber Command estimates about 42,000,000 cyber-attacks or probes by hackers every week. Antivirus firm Symantec estimates the direct cost of such attacks at $338 billion a year, excluding the theft of intellectual property and damage from data breaches. The combined loss mounts to well over $1 trillion when factoring in theft of intellectual property.
Impact on Small Business
Small Business may not face the same magnitude of threats that a large and visible corporation faces, but they are by no means immune to cyber-threats. Moreover, even if the magnitude of the attack is smaller, the effects can be devastating. Security major Symantec estimates that cyber attacks cost small and medium-size businesses $188,242 on average, and that two out of every three victims in this category cannot recover from such attacks, and are forced out of business within six months of the attack.
The range of cyber threats faced by small businesses include:
- Theft of databases containing personal identifiable information of their clients, which the attackers can either sell, or use themselves to commit financial frauds or identity theft.
- The attackers inserting malware to control the server, and use it to siphon off money from the small business, by payroll or other fraudulent financial transactions.
- The attackers inserting malware to siphon off trade secrets or intellectual property.
- Collateral damage of DDoS, data-theft, or other attacks, as the cyber-attacker targets another company that happen to have their data in the same cloud server.
Security major Symantec and the National Cyber Security Alliance (NCSA) estimate that 71 percent of small businesses are dependent on the internet for daily operations. Yet 83 percent of them have no formal cyber security plan, and 69 percent of them lack even an informal one. One out of every two small businesses believes that data hacks are isolated incidents that will not impact them.
Protecting against cyber-risks takes many forms. The most common ones are:
- Ensuring that the operating system and all programs have the latest patch updates.
- Covering the basics, including configuring the firewalls properly, and having strong passwords.
- Having anti malware suites in place.
- Have network monitoring systems in place.
- Gather intelligence, by analyzing organization’s logs, network traffic data, and malware found in the system.
- Enable two factor authentication.
- Encrypt sensitive and financial data.
Apart from the required combination of one or more security deployments, businesses also need to:
- Have a clear and consistency security policy in place, including mobile BYOD policy.
- Backup their data, so that a cyber attack does not wipe them out of their intellectual assets.
- Have a contingency plan in place to know how exactly to go about when a cyber attack strikes. The plan many include how to continue business opportunity from an alternate location.
- Educate employees on best practices, how to identify phishing attempts, safe mobile practices etc.
- Conduct employee background checks thoroughly to prevent chances of insider threats. A security agreement with the employees may also be in order.
There is no one size fit all approach to cyber-security. A multi-layered approach to security is any day better than depending wholly on any single security solution, but organizations need to conduct a thorough risk assessment to identify the weakness and specific threats that they face, and deploy the security measures that would best protect against such threats.
The Right Approach
Cyber security is continuously evolving and dynamic. It is not enough that the organization conducts a risk assessment, and invests in the most appropriate defenses. Cyber-criminals always refine their modus-operandi to remain one up on security. Cyber-security is an ongoing task, and the most effective security requires regular patch updates, periodic security audits, and reassessing the security deployments in place frequently to ensure that it aligns with the business practices.
A case in point is the rise in mobile virus. Cyber criminals are now increasingly targeting mobile devices, especially as the busy executive, on the move, logs in from a public or unsecured wi-fi. Symantec estimates a 58 percent increase in mobile malware from 2011 to 2012, and one out of every three mobile virus aim to steal information. Unless the cyber security policy recognizes such a threat, the heavy investment in protecting in-house systems becomes worthless.
Cyber security makes good business sense. A cyber attack, even if it leaves the organization’s infrastructure unscratched, can cause severe erosion of reputation, which would do medium to long-term damage. Most people prefer doing business with a company known for their good security practices, with the confidence that their data and systems would remain safe.