The Bigger the Company, the Bigger the Risk?
In the era of IoT and ubiquitous applications, we are becoming ever more aware of potential threats to IT, but it is often seen as a problem that only big companies, banks and governments should worry about. But do the figures support this belief?
In fact, cyber-attacks on the biggest players don’t happen more often than on small companies – though they are more spectacular and widely discussed. The more data a company stores, the more that can leak if an attack is successful. Bigger companies, however, have more mature IT security strategies, strict policies, IT awareness training, systems that require regular password changes and, last but not least, they tend to spend more money on IT. According to Verizon research, 58% of victims of cyber-attacks are categorized as small businesses with more than 1 000 employees. In addition, more than two-thirds of breaches were discovered only after several months or even longer. It is important to remember that a data leak is just the tip of the iceberg; it is a warning that data are being misused, whether the information involved is in the form of passwords, credit card numbers personal details. It can lead to identity theft, financial loss and many other problems for individuals and companies.
Strategy is a must
How should we protect ourselves from these threats? The key to avoiding security breaches is to build a consistent long-term strategy. To minimize the risk of a security incident, every company should assess and re-think its procedures, gathering relevant information about everyone who has access to data, IT systems, networks and infrastructure. as well as all information about the IT infrastructure itself (network and software, and other equipment). The collected material should concern not only internal employees, but also people from external companies (especially when outsourcing a service). With this knowledge, it is easy to verify whether each of these people should have access to a particular resource, and to establish the permissions they need to perform their tasks. Bear in mind, nobody should have a higher level of access than is required for them to carry out their duties. It is also important to train employees how to identify (and report) phishing, to block spam, to use recommended software, not to open any attachment unless sure of its safety (30% of attacks included malware), and to choose strong passwords (consisting of random characters, including lower case and upper case letters, numbers, punctuation and special characters instead of actual words, which does make them harder to remember but also more difficult to crack. In the case of passwords, using management software such as KeePass is worth considering. Employees should also be taught how to prevent themselves from falling victim to socio-technical attacks – a method used in 17% of attacks, and often successful when deployed. By checking the infrastructure, you can find weaknesses such as patches that have not been installed, old software versions, incorrect network configuration, and so on.
Trust the experts
These steps require time, money and expert knowledge. Having an information is one thing, knowing how to use the information effectively to improve business security is another. In such situation, an external service provider can be the best solution. It is not only easier and faster to bring in outside help, but is also cheaper and more popular than attempting to keep all IT security in-house. Building or developing an IT department is a time-consuming process, especially in a rapidly changing IT world and with the current shortage of experts, especially if your company is not technological and you are not even sure where or how to start. Better to choose a trusted partner specializing in IT outsourcing and security. For such companies, IT is a core business, and they employ experienced specialists with responsibility for to assisting clients and keeping themselves up to date with the latest technologies, trends and security threats (types of cyber-attack, malware and IoT are examples). A good IT company will be prepared to undertake risk analysis, identify potential threats, and provide each client with a solution tailored to their needs. This involves not only prevention, but also advice on operational matters and a disaster recovery strategy if a security incident has already taken place. Another advantage is that external IT specialists are less likely to violate security policies and procedures in a form of doing a favor for someone who is not authorized to access certain data (12% of breaches involved privilege misuse).
IT security is too important to rely on luck. Hackers become ever more creative and cyber-attacks ever more sophisticated. So, in order to avoid serious trouble and ensure your company’s business continuity, you should plan your IT security future today.