Understanding the Cyber Enemy: 4 Risks to Data Security at Your Firm

Keep your friends close and your enemies closer. Small businesses may think they’re less vulnerable to cyber-attacks than their large counterparts, but that isn’t necessarily true. In fact, nearly half of all small businesses have been a victim of cyber-attacks, according to the 2013 Small Business Technology Survey by the National Small Business Association. And a malicious attack is just one of the potential threats to your data security.

Companies that maintain sensitive customer, financial and vendor data should be aware of who their cyber-enemies are and what they can do to reduce their IT security risk.

The following are four common risks to your business’ data security.

1. Malicious attack: You may think you’re safe against a malicious attack because your company is small enough that you’re unlikely to be targeted. However, most hackers don’t target their victims. Instead, they send out millions of feelers to identify vulnerable systems. In fact, it’s possible that someone is sniffing around your network to exploit your vulnerabilities at this very moment. How can you protect yourself against these attacks?  Questions to ask yourself include:

• Do I know my company’s vulnerabilities?
• Do I know the threats that my company must defend itself against on a daily basis?
• What safeguards do we have to deter, detect and protect our data?

 2. Natural disaster: When you picture an IT security nightmare, you probably aren’t imagining a summer storm. But natural disasters can pose a serious risk to your company’s data. No matter your organization’s location, you are at risk of facing a natural disaster. Whether it’s a hurricane, a tornado, an earthquake or a flood, any disaster can potentially be enough to cause damage to your physical location and any records or data that you store on-site. To help reduce your risk of a weather-related cyber-incident, ask yourself the following questions:

• Is my data backed up at an off-site location?
• Is that off-site location close enough to my main facility to be impacted by the same natural disaster as my physical location?
• Is there a plan in place to protect the confidentiality and integrity of your data?

3. Equipment breakdown or human error: Mistakes happen. Whether you deleted the wrong file, spilled coffee on your computer, or accidentally sent an email to the wrong person, human error can potentially leave an organization without the data necessary to continue normal operations or expose sensitive information.

Even if you’re careful, some breakdowns are outside of your control. Power or internet outages and computer crashes can lead to partial or total data loss, depending on your organization’s backup procedures and contingency plan. Does your company have an information technology policy that covers employee equipment use, electronic guidelines and hardware lifecycle to ensure old technology is backed up and replaced when necessary? If not, you could be putting your data at risk.  

4. Internal attack: Did you perform a background check on new employees? What about employees who have been with your company for a long time that may be going through financial difficulties? Businesses with weak internal controls have an increased risk of employee theft or other internal attacks. Depending on the data your company has access to; the information you store can be leaked, stolen or exploited by employees with access.

In one of the most well-known examples in recent history, the National Security Agency (NSA) suffered a leak when NSA contractor Edward Snowden released classified information to the press that led to increased global scrutiny of the agency and the United States government. If it can happen to them, it can happen to anyone.

Business owners should watch for red flags in their employees, like sudden lifestyle changes (purchasing expensive homes, cars or clothing), behavioral changes, refusal to take vacation, and a lack of segregation of duties.  Ask yourself:

• Do I have proper safeguards in place to deter fraud by my employees?
• Do I have proper controls in place to monitor whether data is being accessed without authorization?

If you aren’t taking action to protect your company’s sensitive data, you could be taking a big risk. If you have questions about how to implement appropriate safeguards and improve your cyber security programs, contact me or another member of Kaufman Rossin’s IT security consulting team.

Download cybersecurity white paper