Cyber Attacks: Your Business is Only as Strong as its Weakest Link
Cyber crime, as we know, is a global issue. The White House cyber attack late last year and recent headlines “Russian hackers amass over a billion internet passwords” and “credit card data swiped from local restaurants” are testament to this.
Although large organizations may appear to be the target for hackers, smaller businesses are also at risk of suffering a security breach. UK government statistics reveal that 60% of small firms admitted to a security breach in 2014 and the US House Committee on Small Business confirms that 20% of small businesses with under 250 employees fall victim to hackers. It also says that 60% of small businesses close within six months of a cyber attack.
Cyber vulnerabilities
Any business carrying sensitive data – from customer and supplier or business associate details to company records, and from financial information to contractual agreements – could suffer a data breach.
These breaches, however, are not solely due to hackers’ activities; they can be caused by weak business controls. Data is everywhere. It’s exchanged between your company, business associates and third parties. So even if you have measures in place to protect your data, how confident are you that others are doing the same?
It is vital to understand and identify the cyber vulnerabilities within your operation, know how to manage these risks and put in place a contingency plan to minimize the damage should a situation occur. You may also want to consider cyber security insurance, which can provide a financial safety net.
Kaspersky Lab’s Global Corporate IT Security Risks Report 2013 identifies the most serious data loss incidents for small to medium sized businesses as:
- Viruses, worms, spyware and other malicious programs
- Information leaked/inappropriately shared
- Vulnerabilities/flaws in existing software
- Other
- Loss/theft of mobile devices
- Network intrusion/hacking
- Phishing attacks
- Theft of larger hardware
- Employee fraud (not involving technology)
In addition to external malicious attacks that directly target the business or the financial accounts of owners and employees, there are other types of data security issues that business owners should be aware of.
Natural disaster
Wherever you’re based, you could face a natural disaster. A flood, fire, hurricane, snowstorm or earthquake could not only damage your physical location, but could also devastate your data if it is stored on site. Back up your data and store it in a remote location to minimize the risk to your business if a natural disaster were to occur. In selecting a back-up storage option, try to find a facility or storage solution that would not be impacted by the same disaster.
Human error or equipment breakdown
How often do we hear “I’m only human” when a mistake is made? Sometimes, mistakes do happen within the work environment and such errors can sometimes lead to loss and corruption of data. Examples include deleting the wrong file, dropping electronic devices, spilling food or drink on the computer, leaving mobile devices unattended and vulnerable to theft, and sending an email with sensitive information to the wrong person.
Like human error, equipment breakdown such as a computer crash or power, internet or phone line outage can sometimes happen. Put in place an information technology policy, back-up and replacement procedures and have a contingency in plan to reduce the impact such errors can have on your business.
Internal attacks
The US National Security Agency found itself under the spotlight when a trusted contractor leaked classified information, resulting in the organization having to increase its global security. If an internal data breach can happen to the NSA, it can happen to anyone. Company information can be easily leaked or exploited by employees when a business has weak internal controls, so establish proper safeguards to deter employee fraud. Ask yourself: “Do we have controls to monitor whether data is being accessed without proper authorization?”
Malicious attacks
Malicious attacks can be targeted or untargeted. In an untargeted attack, hackers will often send out millions of feelers in order to identify what systems are vulnerable. Financial gain isn’t always the motivation; hackers are sometimes motivated by the knowledge they have the power to disrupt operations.
In order to reduce the risk of such an attack, learn your company’s IT vulnerabilities and install safeguards to deter, detect and protect your network and data.
The weakest link
In every business, there are people, processes and technology that generate sales and invoices, manage customer data and communicate internally and externally. Any of these can be the “weak links”, as evidenced by the following examples:
- Two employees stole a proprietary software application code and opened a business using the same software under a different name.
- An IT director installed file sharing software, exposing confidential information to unlimited users.
- An employee accidentally changed her company’s firewall configuration, making all network documentation and sensitive information briefly available through Google.
- An employee gave his password to a hacker posing as an IT colleague trying to resolve a network issue.
These potential “weak links” can be strengthened with intellectual property protection, robust security processes, system configuration access restrictions and clear password sharing policies.
Review and assess your risk
In order to better understand your company’s potential exposure to cyber attacks and data breaches and to be able to mitigate the risks, you should consider both a technical and operational review. By assessing your company’s infrastructure, its processes, policies and reporting mechanisms, you’ll be able to identify and rectify any problem areas.
A technical review may reveal IT issues, such as a lack of anti-virus protection on workstations or servers, open ports leading to exposures, unpatched applications (downloadable software which can compromise computers) and bandwidth abuse (movie downloads and file sharing that can lead to viruses).
An operational review can help you to identify issues such as weak internal controls and a lack of adequate policies and procedures governing information technology.
If the policies and procedures are in place, this review can help to determine whether they align with industry best practices. An operational review can also look to see if there is an employee monitoring program established and test the program to determine its effectiveness. Wider aspects of the organization – such as human resources, the hiring process, vendor management, business opportunities, asset management and billing practices – may also be included in this assessment.
Technology is only as good as the user behind it. The same applies to businesses and data security; they are only as strong as the weakest link. By first identifying your business’s IT weaknesses, you can then take steps to protect against them.
To learn more about data security at your company, download our white paper, Why Your Small Business is at Risk of a Data Breach.
_______
Jorge Rey, CISA, CISM, CGEIT, is a director of information security and compliance at Kaufman Rossin. Jorge can be reached at jrey@kaufmanrossin.com.
Richard Salinas, CPA, is a consulting supervisor in Kaufman Rossin’s Ft. Lauderdale office. Richard can be reached at rsalinas@kaufmanrossin.com.
Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.
Richard Salinas is a Chief Operations Officer at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.