A quick Google search for security threats that plague small businesses turns up a vast amount of results ranging from such banalities as hackers to the most outlandish of exaggerations about brand monitoring and diverted funds. To be sure, small businesses are prone to the same weaknesses and vulnerabilities as larger enterprises, but their smaller size, scope and focus are as much of an advantage as a problem.
Here we look at the 10 most serious, current and underreported security breaches that affect the small business sector in Canada:
1. Malware infections that lead to data and productivity losses. Weaknesses caused by poorly configured systems and unpatched applications account for most software infections. Automatic software updates – such as anti-virus files and operating system patches – are often all that's required to keep up to date with the latest system vulnerabilities. This extends to everything, from the proper installation of voice mail systems to the setup of company e-mail.
2. Malicious breaches that go on indefinitely. Many security vulnerabilities exist for years before being detected, if ever. By adequately monitoring attacks, error logs and changes on the network, small business owners can make informed decisions about investing in security. And when it comes to monitoring, outsourcing to one of hundreds of managed IT service providers makes good business sense.
3. Hijacked domain names. Imagine losing the keys to your house, and powerlessly watching criminals as they make themselves at home in your house. Loss of control over internet properties is a serious business interruption as perpetrators often redirect websites to illicit destinations, and intercept the conversations of unsuspecting interlocutors. Ensuring that Internet domains and hosting accounts are locked down will go a long way towards protecting against this type of (usually ransom-related) crime.
4. Loss of accountability over employee accounts. Shared passwords and accounts are a common occurrence in small businesses. Whether people go on maternity leave or step away for a vacation, the unfortunate practice of sharing access credentials still takes place because it's convenient. The drawback is that without unique passwords that are only known by their rightful owner, accountability for any actions conducted using the account in question cannot be established. To avoid having someone else make mistakes or cause intentional damage using accounts that aren't theirs, small businesses must instill a culture of accountability that begins with properly defined and enforced security policies.
5. Insider threats and disgruntled employees. Employees must knowingly be subject(ed) to acceptable use policies, confidentiality agreements and strict security policies to ensure. To prevent against damage perpetrated by employees with too much access, small businesses must ensure that employees are aware of their responsibilities and system privileges by ensuring that everyone is trained on security awareness on an annual basis, and that they all sign documents indicating that they understand the training, policies and agreements.
6. Breaches caused by connecting (from) infected devices. Whether employees connect to work to read their e-mail or plug in an iPod, there is a potential for infection from devices that are or have been outside the relatively safe network perimeter. Any connection to work systems should be done from a dedicated work computer and not one shared by the entire family. Similarly, personal USB devices should be banned in favour of company-supplied ones that come with data encryption built in by default.
7. Any data breach, interception or access causes confidentiality breaches. The problem with lost data is that it cannot verifiably be recovered with the damage undone. Once copied or transferred, those actions can't be undone. The only effective way to prevent unauthorized disclosure, or breaches of confidentiality, is to encrypt data. Businesses often don't adequately protect their back-ups, their sensitive and confidential data or their Internet communications. By ensuring that proper encryption takes place at all steps of the information lifecycle, businesses ensure that data is protected and everyone is accountable for their actions.
8. Business interruptions due to backup data issues. Backup and restore processes are often improperly tested and result in data and productivity losses. Many businesses are then forced to suspend operations for weeks, and may never recover as a consequence. By ensuring that proper backup encryption is in place and that recurring restoration testing is performed, the risk of losing data can be controlled.
9. Physical breaches and theft. With such a focus on hacking and cybercrime, it's understandable that less glamorous types of security are taking a back seat to a movement towards better IT security. Unfortunately, this happens as physical theft is booming and ranges from entering the office unchallenged to breaking in on the week-end. This shift back to low-tech crime is due in part to stronger network security as well as to the ease with which it can be pulled off. But it works, and laptop theft alone accounts for billions of dollars losses. Whether it takes place at the employees' homes or at work, physical security measures such as bike locks and fully encrypted hard drives should be used as preventative controls against this type of crime.
10. Trust abuses. As humans, we are naturally trusting, so when presented with apparently legitimate individuals in a position of authority, we play along, often to the detriment of the company and its information assets. Social engineering is the practice of abusing people's trust to compromise – or steal – company property (or personal details). Whether it's called pretexting, spear phishing or simply a con job, it's effective and the only antidote is employee vigilance. Ensuring that employees know how to react when receiving that phone call or e-mail will go a long way towards creating a culture of awareness and accountability that will inevitably lead to better protection for the business and its data.
As chief security officer of Informatica Corporation, Claudiu Popa helps Canadian small businesses protect information assets against current security threats including viruses, hackers, thieves and blackouts. He is the author of the Canadian Privacy and Data Security Toolkit for Small and Mid-Size Business, published by the CICA. Follow him on twitter.com/datarisk