Home / Blogs

Why the 1# Vulnerability for Cyber Attacks Will Be Apathy

Daren Boozer

Everyone has heard of the cyber security attacks on Target (2013), Home Depot (2014), Neiman Marcus (2014), Sony Pictures (2014), and the United States' second-largest health insurer, Anthem (reported February 2015), but have you heard of the security breaches for Aaron Brothers, Evernote (denial of service attack), P.F. Chang's China Bistro, Community Health Services, Goodwill Industries, SuperValu, Bartell Hotels, Dairy Queen, U.S. Transportation Command contractors, and more.

Probably not. Even I hadn't heard of these breaches until I did some research for this article. And these were just some of the larger chains (just not large enough for nationwide media attention).

So it's not just that the massive names and brands are being targeted for cyber security attacks. Instead, it's small- to medium-sized businesses that are receiving the brunt of the attacks. In fact, they are enduring more attacks than the big guys — we just aren't hearing about it in the media.

According to Experian's 2015 2nd Annual Data Breach Industry Forecast, "the risk of experiencing a data breach is higher than ever with almost half of organizations suffering at least one security incident in the last 12 months."

So why are so many smaller businesses becoming the target of cyber attacks? It's not because they don't have the right procedures and the right security personnel in place to prevent attacks. Far from it: Experian's data breach report stated that "48 percent organizations [surveyed] increased their investments in security technologies spending" in 2014.

So why — as companies understand the need to add features and 24/7 surveillance to their security systems — are more and more companies getting hit?

Beefing up your security is a good thing, of course. But it can also lead to a false feeling of security. Spending considerable time and money on technology can lead to apathy. More to the point, it can lead to the perception that all is OK, that you're well-protected, and that you can sleep well at night, every night.

But such an assessment can lead to mistakes. Remember, your job is to run your business. Service your customers. Create great products and deliver terrific services. You need to make sure your bottom line stays healthy. That your employees are engaged and happy.

You have a considerable amount on your plate.

Cyber criminals, however, are focused on one thing only: finding your mistakes.

These individuals have nothing more to do than look for vulnerabilities. They don't have to patch up weak spots; they don't have to constantly be on the lookout for system flaws. All the criminals have to do is find a small hole and if they find one — like a bat that can enter your home through a space less than an inch around — so can a cyber criminal use that tiny fault and hack into your system.

How much do hackers love small companies? Some statistics:

  • The U.S. Department of Homeland Security reports that 31 percent of all cyberattacks on business were aimed at companies with fewer than 250 employees.
  • Symnatec Security Response discovered in 2012 that more than half of all targeted attacks focused on those businesses with fewer than 2,500 employees.
  • Verizon's 2013 Data Breach Investigations Report said that mid-sized and small businesses experienced more data breaches than did larger firms.

Perhaps most frightening is the National Cyber Security Alliance's finding in 2012 that about 60 percent of all small companies go out of business within six months of a data breach!

In order to stay ahead of hackers and cyber criminals a business must ensure that its IT team continuously looks for vulnerabilities, even as other team members work to beef up its security. Cyber criminals can sleep at night; a business' IT team — in effect — cannot.

In addition to hiring professionals whose time is spent only on checking for weak spots in their firewalls, etc., smart companies also hire professionals to hack into the business (thus exposing those holes). They also continuously upgrade software packages, monitor the system 24/7, and so on.

Yet I've seen too many small businesses who believe that they are too small or "too boring" for cyber criminals. This isn't apathy, per se; it's a lack of understanding that no business is too small for crooks.

This is something especially to remember if you're in a growing industry, one that is enjoying more media coverage. Firms with entrée to larger business networks also are at risk. As are those which have access to customers' personal data, such as credit cards, social security numbers, etc.

The days of installing the latest in security technologies and saying "Done!" is over. Instead, I recommend that every business — and I mean every business — engage in the following, and do so continuously (24/7, if possible):

  • Meet with your IT team and other department managers regularly and conduct risk management sessions in order to identify and rank the risks that affect you.
  • Continuously audit all of your security/privacy protocols, policies and controls.
  • Create and implement (and continuously update) an internal function throughout your entire organization.
  • If it isn't already, data analytics will become your very best friend as you will analyze your data frequently in order to find unusual transactions in your records.
  • Look into the value cyber security insurance coverage may offer you in order to help you recoup financial losses as a result of a security breach.

In October 1941 when things were looking mighty dicey for England during World War II, Winston Churchill spoke to the young men at Harrow School and told them this (one of the most famous of his quotes):

Never, never, in nothing great or small, large or petty, never give in except to convictions of honour and good sense. Never yield to force; never yield to the apparently overwhelming might of the enemy.

Is this a bit too grandiose to use as impetus when dealing with cyber criminals? I don't think so: cyber attacks are an absolute menace to our privacy, our finances and our way of life. Our best defense is to never become complacent. We must never give up. We must never think that we've done enough.

That's my bottom line. What's yours?

By Daren Boozer, CEO at NCC Data
Follow CircleID on
Related topics: Cyberattack, Cybersecurity, Networks
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Completely Agree Steve Lines  –  Mar 19, 2015 10:46 AM PST

Sometimes apathy is driven by a lack of understanding the threat. The DIB ISAC focuses on the tier two/three subcontracting community within the Defense Industrial Base. In many cases these companies do not have the IT staff much less an IT security staff. By necessity, they must focus on driving revenue. However doing so without understanding the threat could be fatal to the business if they are breached. I encourage these companies to join a trusted forum such as an ISAC within their community. Doing so will allow access to a community of analysts that can help not only understand the threat but how to adopt best practice for mitigation.  www.dibisac.net

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

IP Addressing

Sponsored byAvenue4 LLC

Cybercrime

Sponsored byThreat Intelligence Platform

Cybersecurity

Sponsored byVerisign