Five Warning Signs Your Security Policy Is Lacking
Warning signs of a weak security policy from SunGuard Availability Services.
I came across a list of top security mistakes committed by small and mid-sized businesses on Dark Reading earlier this month. What caught my attention was a quote from Brian Contos, director of global security strategy at McAfee, who noted:
An attack that costs $20,000 might not make the headlines like a Fortune 100 losing $1 million, but to the SMB, proportionally it could be just as devastating.
You can read "Top 10 Security Mistakes SMBs make" for the full list, written by contributing editor Ericka Chickowski here. For those who prefer a shorter lineup to focus on, however, I have identified three of the most prevalent and easily correctable mistakes below.
Thinking They Are Too Small
The most common mistakes made by small businesses are well, thinking that they are too small a target for hackers to notice. Indeed, a recent poll conducted by Symantec revealed the surprising fact that many SMBs do not see themselves as possible targets of cyber attacks. And it is not for the lack of awareness, either - the Symantec survey specifically posed questions to test for awareness of the latest security threats - but because small businesses felt they were too insignificant to be targeted by hackers.
Unfortunately, this line of thinking completely ignores the fact that many forms of online attacks such as phishing adopt a "scattergun" approach. Essentially, the bad guys fire off a broad range of attacks on as many targets as they can reach, and then work on the ones that take the bait. Moreover, Chickowski argues that just because a small business has 10 employees doesn't mean that they automatically get a free pass from regulators on the compliance front, either. Thankfully, adjusting from this mindset is relatively easy and involves SMBs recognizing that they are fair game to the majority of hackers. To actually start defending yourself though, you may first want to read my post on FCC cybersecurity tips for small businesses.
There are a few problems on this front, which include using easily guessed passwords and excessive reuse. I've written about this in the past, and have presented a number of tips on the use of passwords in "Password Management: What Employees Should Know." Given that most of us don't have the ability to memorize more than a few passwords, the use of proper tools is unavoidable to stop password reuse in its tracks. I've written on the latter, which you can read about in "Three Tools for Proper Password Management."
Failing to Train Employees
"Formalized security awareness training is key," writes Chickowski. As I'm fond of pointing out, research dating back to 2009 has shown SMBs to be lacking in security training. To put it mildly, security is more than simply buying a security product off the shelf and assuming it will offer protection. I recall a news report in which a customer was upset with the performance of a McAfee anti-spyware product. Upon engaging a reseller to check on the problem, it was found that the customer never turned the anti-spyware product on.
In a nutshell, training is important for SMBs, and they need to set aside a budget to send their staff for regular training and for upgrading their skills.