Where does your business stand on security readiness?
If you are like the majority of small businesses, you are pretty nervous about your cybersecurity efforts and ability to thwart and/or react to a threat.
In October, e-Management asked attendees at the CyberMaryland Conference about their cybersecurity policies. What the CyberRX survey found was that 63 percent of small businesses aren’t very confident about their continuous security monitoring capabilities and nearly a quarter don’t provide any type of security training for their employees. Of those that do provide some sort of training, it is mostly periodic—and we’ve learned that cybersecurity education and training needs to be a constant evolving effort because the threat landscape is always changing.
Small businesses aren’t the only ones who struggle with these problems. Last night on 60 Minutes, one of the feature stories discussed credit card data breaches against large retailers and financial institutions. Dave DeWalt, CEO of FireEye, was interviewed about breaches in general and something he said jumped out at me. Although the FireEye system did detect the initial breach at Target, the warnings were buried amongst thousands of other more minor alerts:
Alarms were going off. And when you get millions of alerts a day and there's one or two alerts that are the ones blinking red, ‘There's a problem. There's a problem.’ You can miss it and it's very hard to find the needle in the haystack. So Target's problem ultimately became, ‘I couldn't find the needle. I couldn't see the one alert that was bright red.’
It appears that the ability to monitor for security threats is a real problem no matter how large or small the company is. The way to fix that may be to change the way we think about cybersecurity.
And Michael Kaiser, executive director of the NCSA, called it a Culture of Cybersecurity in a BusinessNewsDaily article:
Make sure employees understand the importance of cybersecurity in protecting their customers, colleagues, intellectual property and valuable business relationships. Have policies and practices in place about Internet security practices in the workplace around issues like the use of USB devices, social media and personal devices in the workplace… Above all, understand what about your business needs to be protected and stay vigilant about the risks that could impact you.
The more you know about the threats and risks, the more monitoring efforts can improve. Knowledge is of course not going to be foolproof, but if you know how to recognize the red flags, you stand a better chance of addressing them before too much damage is done.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba