Most small businesses don’t have the budget, expertise, staff or time to manage security programs on their own. It’s a longstanding problem, as pointed out in a survey of small businesses conducted by the Ponemon Institute, which found that 55 percent of respondents experienced a data breach in 2013 and 53 percent of those experienced more than one breach in the same year.
Considering how quickly the threat landscape has evolved and the threat of breaches affecting all types of businesses from startups to financial giants in the last couple of years, many small businesses are still in dire straits.
It’s common for small and medium businesses to think they are too small to be the targets of a cyber attack, especially when the term “breach” is often associated with retail, health and financial companies. But, even in those cases, smaller businesses become victims in the exploit process. According to the annual 2015 Security Pressures Report published by Trustwave, many small to medium businesses feel secure in their current security stance, with 68 percent stating they do not feel at risk of a cyber attack or data compromise. This false sense of security is a major mistake that makes smaller companies targets for cybercriminals.
With this in mind, here are five mistakes to avoid that make it easy for attackers to exploit small businesses:
1. The wrong investments.
Pressure on IT pros to buy technologies is rising but security solutions for small businesses are only effective if used and updated properly. According to the 2015 Security Pressures Report, 57 percent of small businesses feel pressure to purchase feature-filled technologies, yet 37 percent said they lack the resources to manage them.
The 2014 Trustwave Security on the Shelf report found that organizations spent $115 per user on security software in 2014 but of that $33 worth of this investment was either underutilized or never used at all. Simply having a security appliance or solution is not enough. Without proper management, additional attack vectors created by a growing network could be a company’s downfall, as it loses visibility of traffic and activity within its systems.
2. Pressure to push projects out early.
According to the pressures report, 77 percent of respondents felt rushed to push out IT projects that weren’t security ready. This is a big reason why vulnerabilities are commonplace in applications and other IT rollouts. The in-house IT team is so focused on completing projects on time that security becomes an afterthought, leaving them open to attack.
Companies need to build products with security in mind from their inception. As security continues to be a major concern for business and consumers alike, it has become a primary differentiator for any product. A secure product will be more coveted than a vulnerable product that was quick to market.
3. Protection efforts in the wrong place.
While many businesses focus their protection efforts on external threats, 48 percent of respondents considered internal threats more pressure-inducing than external threats. Small businesses can have a “family feeling,” but internal threats can still exist, no matter how much you trust one another. Vet and educate personnel to avoid both intended and inadvertent threats.
4. Cloudy forecast.
The cloud holds many uncertainties for small businesses. The pressures report reveals that 43 percent of small businesses rated the cloud as the emerging technology that posed the greatest security risk to their organization.
In reality, the cloud is an efficient way to bolster operations for small and medium businesses, if launched correctly. Smaller businesses have to take their time in setting up a successful cloud deployment, with cloud-specific security measures that are distributed and localized. Pervasive encryption of data or third-party management also helps avoid possible issues.
5. Weak passwords.
Password education is crucial. Despite the fact that easy-to-crack passwords contributed to nearly one-third of all breaches Trustwave investigated in 2013, only 9 percent of security pros cited weak passwords as the insider activity they felt most pressure to fend off. IT and security pros need to instill the need for strong credentials and even two-factor authentication.
In short, having a security-first mentality can pay dividends to small business and ensure long-term success. Don’t assume being smaller exempts companies from being victims. Make security a priority and avoid the costly aftermath of a possible breach.