Integrity Blog

Protecting small business from cyber attacks.

You’re a small business owner. You’ve got plenty on your mind and lots to accomplish. Business is good though. The client base is growing, more employees are joining the team – 18 employees now including yourself, and you’re adding new products. You accept payment cards through a point of sale (POS) system, so compliance with the PCI Data Security Standards occasionally crosses your mind.

Your business is a prime candidate for a cyber attack!

But why? Aren’t cyber criminals targeting the medium and large businesses? Unfortunately, recent statistics have indicated that attacks against small business are rising. Symantec Corporation recently reported that 43% of attacks reported in 2015 were targeted at small businesses, and attacks against small businesses have been trending upwards over the past four years. This trend is due to several factors. Cyber criminals like to take the path of least resistance, and small businesses generally have less resources and skilled information security staff on hand to implement and maintain a sound information security program that considers various administrative, technical, and physical security measures. Bottom line: small businesses are generally softer targets.

So what can you do to make yourself a harder target? There are many proactive steps you can take, including, but not limited to, the following:

  • Consider information security risks as a business issue, not an information technology issue, and evaluate those risks regularly
  • Implement well-designed information security and privacy policies
  • Train your employees on acceptable use of the businesses information technologies, and also train them to recognize indicators of attacks and how to report those indicators
  • Have an Incident Response Plan ready in case an incident occurs
  • Ensure system security updates and patches are applied. Unpatched systems are a causal factor in many data breaches.

Small businesses still process, store, and transmit sensitive information – in the above scenario, payment card information, customer information, and employee information – and this information is worth money to cyber criminals. Payment card information is selling on the Dark Web for ~ $6-12 per record (as compared to protected health information, which is fetching upwards of $50 per record).

But what would it cost you to remediate the effects of a data breach involving your business? The Ponemon Institute reports that the average remediation costs, across all industries, is $154 per record. Assuming that the average breach is 28,070 records, one can see how remediation costs could add up quickly. Also consider the impacts on business reputation, potential litigation, and loss of customers if a breach involving your business were to occur.

Have you heard the latest news about NIST, PCI DSS 3.2, Ransomware, and Verizon 2016 DBIR?

You’ve heard it before, perhaps in passing, perhaps as part of an audit… You need to pay more attention to rising cyber threats. Get involved in information sharing groups. Spend more time determining what could be potential risks to your organization. In addition, ensure you stay atop regulatory and industry requirements.

O.K. … Easier said than done. Even as a cybersecurity professional, this humble blog writer can find it a challenge to find time to read the latest security news and stay knowledgeable about changes to regulatory and industry requirements.

So, for this posting, I thought it would be refreshing to look at some of the latest news.

Have you heard…

National Institute Standards and Technology

The National Institute of Standards and Technology (NIST) has started the process to revise one of our favorite references, the NIST Special Publication (SP) 800-53 (revision 4) “controls catalogue.” According to multiple sources, SP 800-53 revision 5 will provide more focus on continuous monitoring and anomaly detection.

PCI DSS

On 28 April, the PCI Security Standards Council released version 3.2 of the PCI Data Security Standard. Version 3.1 will expire on 31 October 2016. Included in this new version are multiple clarifications and expanded requirements. For example, the requirement for multi-factor authentication is being expanded to address personnel with non-console administrative access to the cardholder data environment. For more about version 3.2, see the press release at:

PCI DSS 3.1 Press Release
Verizon 2016 Data Breach Investigation Report

The Verizon 2016 Data Breach Investigations Report has been released. The report presents some sobering statistics, such as 63% of confirmed data breaches involve weak, default, or stolen passwords. To access the report, visit:

Verizon 2016 DBIR
Ransomware

Ransomware continues to increase as a threat to organizations, primarily spread by criminal organizations using exploit kits. It’s easy money. CryptoLocker, CryptoWall, Locky, and TeslaCrypt are some of the ransomware names we’ve been introduced to over the past couple years. Now, CryptXXX is gaining steam. Of note, Kaspersky Lab has published a utility that supposedly will recover files lost to CryptXXX infections. Nonetheless, it’s best to try to avoid ransomware all together. Keep patches up to date, continue training employees about phishing and other social engineering tactics, and ensure you are routinely backing-up critical data.

The Cybersecurity equation of Risk vs. Reward

Information security professionals must understand their role in helping business leaders balance the risk vs. reward equation when evaluating cybersecurity efforts. They must also be willing to exercise flexibility in their personal opinions and help business leaders understand IT risk management. Doing business comes down to one simple question. How much money are you willing to lose in an attempt to make even more money? In other words…how much risk can you stomach? Doing business in the digital world today involves more risk than ever before. Cyberattacks are simply a cost of doing business.

Information security professionals are responsible for helping business leaders understand cybersecurity risk and how to properly mitigate it. When this occurs, they can be a very useful resource. But, if they do not understand that responsibility, they become a liability to the organization they are trying to help. Security professionals must understand that business decisions must be made by business leaders.

Assisting with Business Decisions

If you are an information security professional, you can let down your leaders in several ways. The first is to attempt to make business decisions. Saying “no” because something is too risky isn’t your job. You should identify the risk, communicate the risk so executives can understand it, and then provide options for accomplishing the task with less risk. Let the executives make the call. This way you are seen as an enabler of the business and not a road block to progress or change.

Flexibility and Compromise

A second pitfall is to pick the wrong battles. If you are seen as inflexible and unwilling to compromise, you lose the trust and respect of leaders around you. If, however, you display a willingness to negotiate and compromise on a regular basis, the times when you do push back and fight hard for something, your opinions will be respected. If there is a high level of trust, they may even defer to your position simply on that trust factor.

Staying Engaged

A third pitfall is complacency and ineffectiveness. Every security professional comes to a point in their career when their effectiveness seems to be dwindling. For whatever reason, their effectiveness in the organization has diminished to a point where they are no longer making a difference. Sometimes this is because of the individual, sometimes a management change, and sometimes the company’s culture is changing do to growth and maturity. The important thing to do is to find out the reason for the change and try to correct it. Simply going through the motions of security will result in critical failures.

Communicating with Management

Ultimately it comes down to this. Are you still able to recognize and communicate cybersecurity risks in a way that management understands and is able to act on? Are you able to provide solutions that protect the company while allowing it to function and grow? If the answer is “Yes”…then carry on. If the answer is “No”, then you need to dig deeper. What changed? Why? Can you fix the issue? Can you reestablish mutual trust and be effective again?

Information security isn’t about being in control. It’s about helping business leaders make wise decisions based on their knowledge of the business environment and market forces. Information security professionals who understand this and provide value to their business leadership are worth their weight in gold.

Get our blog posts delivered to your inbox: