2014 was one of the worst years on record for data breaches in America, with nearly 350 million records lost or stolen. While most of us only get to read about the breaches associated with large organizations (the ones that make the best media headlines), it is beyond any doubt that American small businesses get breached too.
A report from McAfee in 2014 found that almost 90% of small- and medium-sized business in the US do not use data protection for company and customer information, and less than half secured company email to prevent phishing scams.
US small businesses are not immune
A survey conducted by Kaspersky Lab in 2014 revealed that three quarters of SMEs believe their business is too small to be attractive to cyber criminals, while 59% said the information they hold is not of interest to cyber criminals.
They couldn’t be more wrong.
David Emm, senior security researcher from Kaspersky Lab, said in a news article: “Whether it is a supplier, a partner or a customer, SMEs tend to have links to other, larger companies. With this in mind, cyber criminals increasingly target SMEs to get information that will enable them to access the larger company’s infrastructure.”
The facts have proven Mr Emm right. A couple of high-profile US data breaches involving retail giants Target and Home Depot, and US hardware chain Lowe’s are believed to have been initiated through a supplier.
Furthermore, small companies often lack IT support to keep an eye out for potential cyber threats. This makes them an even more attractive target for cyber criminals who are eager for an easy gain. But unlike their larger counterparts, they may not be able to recover from a data breach.
What US small business owners can do
Given the alarming frequency of cyber attacks, becoming cyber secure may seem like a mammoth task. If the process is broken into steps, however, every task is achievable. Here are a few areas small businesses should focus on:
Conduct cyber risk assessments
Risk assessments are essential for securing corporate data. Their aim is to identify the cyber risks that the organization is exposed to (taking into account its employees, processes, and technology), while also pre-empting any potential future risks, such as an organizational decision to move its data to the Cloud in the near future.
The accuracy of a risk assessment is critical, as its outcomes drive information security management decisions. Risk assessments also enable expenditure on controls to be balanced against the business harm likely to result from security failures.
32% of the respondents to PwC’s US State of Cybercrime Survey 2014 said that insider crimes are more costly or damaging than those committed by outsiders. The survey also found that only 20% of small companies rely on a security function to handle insider attacks, compared with 62% of large organizations.
It is worth considering a more pragmatic approach to raise staff awareness.
Security awareness training can deliver quick returns by raising employee awareness of information security best practice as well as cyber threats. It is not only fundamental for effective information security management within an organization, but also helps meet specific compliance requirements mandated by ISO 27001 and the PCI DSS.
Evaluate how cyber secure your supply chain is
PwC’s US State of Cybercrime Survey 2014 found that only 41% of companies have a process for assessing the cybersecurity of third-party industries with which they share data or networks before launching business operations. The smaller the company, the less likely it is to evaluate partners’ cybersecurity.
This means that even if your own organisation is secure, individuals with malicious intentions can enter your networks through your suppliers, or even your suppliers’ suppliers, especially where important functions have been outsourced to the Cloud or to smaller providers.
Small businesses should therefore scrutinise their vendors and ensure they comply with their privacy and security policies.
Test your networks
Any Internet-facing organization is under a constant threat of cyber attack. In the majority of cases, cyber criminals are not discerning regarding their victims – the one thing they look for in a target is a network with vulnerabilities. So, could this be yours?
Small businesses should conduct regular penetration tests in order to identify exploitable security holes and vulnerabilities in their hardware and software, and take remedial action.
ISO 27001 and small businesses
In order to address all of the above areas, consider implementing ISO 27001 – the international information security standard. In the USA alone, the number of ISO 27001 certificates issued has grown by 36% in 2013 – giving it the tenth highest number of ISO 27001 certificates globally.
ISO 27001 offers a systematic approach to managing sensitive company information so that it remains secure by applying a risk management process that includes people, processes, and IT systems.
To get started with ISO 27001, take advantage of IT Governance’s fixed-price ISO 27001 Get A Lot Of Help package.
The ISO 27001 Get A Lot Of Help package provides guidance from an ISO 27001 implementation specialist throughout the entire project, without the associated expenses of hiring a consultant to do all the work. This unique approach to ISO27001 implementation empowers organisations to quickly and cost-effectively assimilate and deploy critical knowledge in a way that enables them to achieve certification and maintain it in the future, all at a fixed, cost-effective price
Find out more about IT Governance’s ISO 27001 Get A Lot Of Help package today and protect your data.