6 SMB Data Security Myths and Misconceptions
When it comes to data protection, big enterprises earn most of the spotlight. But cybersecurity, compliance and data protection also present a conundrum for small business owners as well.
Most know they need it, but few understand it or have it adequately set up. In fact, according to the National Small Business Association, many small firms know little or nothing about cybersecurity. The barrage of data breach headlines surrounding Sony, Target, TJ Maxx, Anthem, JP Morgan, eBay and more can strike fear into a small business owner’s heart. But their lack of understanding can also result in misconceptions about effective cybersecurity strategies.
For multi-location businesses or franchises, the challenges are equally daunting if the corporate office does not provide support in the form of guidance, policies, technology and resources to help individual locations fight threats.
One way to break through that conundrum and avoid common cybersecurity mistakes is to better understand these six security misconceptions vs. truths.
Myth 1: Only large organizations get hacked
Breaches at large organizations grab the headlines. However, small businesses are more vulnerable to attack because criminals know that many of these companies don’t have adequate preventative measures. In fact, in 2015, approximately 80 percent of cyberattacks are targeted at small companies. And the number of attacks is growing. The mitigation cost of an attack can be a cataclysmic event. While large businesses spend hundreds of millions of dollars digging out from the rubble of an attack, most have the resources to do it. In time, the enterprise breach becomes but a dent in their otherwise intact superstructure. Small businesses aren’t so lucky. According to the National Cyber Security Alliance, some 60 percent of hacked small businesses go out of business within six months after an attack.
Myth 2: Most breaches come from the outside
Many breaches are caused by external attacks, but according to a 2015 Ponemon survey, 69 percent of companies that reported serious data leaks noted their data security breaches were the result of either malicious employee activities or non-malicious employee error. Insiders pose even bigger threats to small business that typically lack appropriate data handling security and oversight procedures. Translated, by far the biggest threat to a company’s data is from the inside, not outside.
Myth 3: Hackers are individuals looking for kicks
Early hackers were in it for the lulz,’ or laughs, but as technology has proliferated alongside the financial rewards of hacking, so have the sophistication and capabilities of the hackers.
Today, cybercrime costs companies more than $300 billion worldwide, and nearly all of it’s due to someone trying to steal credit cards, identity information, trade secrets, etc.
Today’s hackers are all grown up and take the form of transnational organized crime rings, terrorist cells, hacking co-ops and groups and even nation-states and foreign intelligence services. According to Marc Goodman in Future Crimes, “The defender must build a perfect wall to keep out all intruders, while the offense need find only one chink in the armor through which to attack.” Make no mistake, these people are serious, they’re in it for the money, they’re organized and well-funded, they’re highly skilled, and they will find you.
Myth 4: A strong firewall is all that you need
Hackers use many different attack vectors to exploit businesses and steal valuable data. There’s not a singular, silver bullet security strategy to defend against all of them.
A more accurate truth: security must be layered, and a properly managed firewall is part of a strategy that includes: data encryption, network segmentation, passwords and access controls, software updates and anti-virus malware software, among others.
Along with protecting incoming traffic and preventing access by malicious actors, it’s critical to limit outbound Internet traffic. Many recent breaches involved malware that, once installed, exfiltrates sensitive data. A strong line of defense is making sure data doesn’t leave the network without the admin’s knowledge, and data that is sent out goes to verified Internet addresses. The same firewall that’s configured to monitor incoming traffic can be used to monitor outgoing.
Myth 5: Anti-virus/ anti-malware software are fix it and forget it’ tools that make businesses safe from cyberthreats.
The reality: “Much of the newly introduced malware went undetected by nearly half of the antivirus vendors," a 2015 GCN article citing a Lastline Labs study on antivirus says. "After two months, one third of the antivirus scanners still failed to detect many of the malware samples. The malware dubbed least likely to be detected’ went undetected by the majority of antivirus scanners for months or was never detected at all.” Essentially, modern malware/ virus technologies are undetectable until it’s too late, so relying solely on anti-virus/ anti-malware software is ineffective."
Myth 6: Small businesses must staff expensive IT professionals to defend against cyberthreats.
Nobody said keeping up with technology is easy or cheap, and the more pieces you add, the more requirements are put on network management. Fortunately, this is a misconception.
Today, outsourcing data and network security is reasonable and cost-effective for small businesses that don’t want to, or can’t, manage security themselves. New outsourced solutions providers offer minimally invasive solutions, rapid response times, state-of-the-art technology and low costs. Everything from software for automating your business to hardware to help manage and secure your network can be sourced from third-parties who specialize in one or more aspects of your technology, so you don't have to.
In a small business environment, combating cybercrime might often feel like fighting the unbeatable foe. Hackers today are well-funded, organized criminals with vast computer labs and unlimited time to research and develop new methods and tools for attack. Businesses interested in keeping networks and data secure should be careful not to fall victim to common misconceptions and focus on simple, robust security measures that can alleviate the growing problem that hackers represent. Doing so is as much of a business imperative as turning a profit.
Jay Conn is an expert on SMB and start-up technology operations and chief operating officer of Netsurion, a provider of data security and computer network management services to multi-location businesses.