Your Business Is Never Too Small For A Cyber Attack, Here’s How To Protect Yourself
This article is by George Westerman, a research scientist in the MIT Sloan School of Management’s Center for Digital Business. He is co-author of IT Risk: Turning Business Threats Into Competitive Advantage.
A few years ago I was working with a small consulting firm, and one of our up and coming salespeople left for a competitor. No big deal. It happens. But several months later, the management team noticed a disturbing trend. The company kept losing bids for new business to this very same competitor. It had happened four times in a row when finally we realized that we’d forgotten to turn off the former employee’s network access. He had been logging into our network, stealing our information, and then undercutting us.
As cybercrime reporting goes, this may be small potatoes. But it wasn’t small to this company. It illustrates a problem that plagues many small and medium-size businesses: When it comes to Internet security, a lot of people aren’t paying attention. They think they’re too small to be the target of a cyber threat.
They’re wrong. According to a recent study cited by the U.S. House Small Business Subcommittee on Health and Technology, nearly 20% of all cyber attacks hit small businesses with 250 or fewer employees. Roughly 60% of small businesses close within six months of a cyber attack.
The fact is, if you’re in business, you’re a target. If you’re on the Internet, you’re already under attack. Companies today face what’s known as an advanced persistent threat, a category of cybercrime that involves Internet-enabled espionage directed at corporate and political targets. Hackers are not just nerdy teenage kids fooling around in their basements; they are sophisticated criminals trained to identify and exploit Internet vulnerabilities. Hackers try to make money any way they can. They look for information on your accounts and finances. They look for information about your employees and your customers—Social Security numbers, addresses, credit cards, and other personally identifiable information. They try to use you as a tunnel into the systems of your suppliers and customers.
Internet security is not just a technology problem; it’s a people problem. According to CyberFactors, in-house employees commit about 40% of reported breaches. Some are disgruntled workers or ex-workers; some are serious bad guys. But often it’s people doing things they don’t even know are unsafe.
As a manager, how can you better protect your company? Here are three guidelines.
First, train employees on IT risk. People who are risk-aware do fewer risky things. They do not need to know every threat or technical detail, but they should know the basics. Teach them how hackers operate: Explain how hackers constantly run scripts across the Internet to find unprotected computers and then use tool kits to launch massive attacks on those weaknesses. Teach them how to recognize scams and phishing schemes—emails or phone calls from purportedly trustworthy groups that try to get access to your credit cards and financial accounts. Use vivid examples so they get it. In 2011, for instance, Condé Nast received an email that appeared to have been sent by its printer requesting that payment be sent to a different account. The magazine publisher lost nearly $8 million before learning that its printer had never changed its banking information and hadn’t received any of the money.
Make sure employees understand how to protect the data on their PCs, tablets, smartphones, and other devices. Educate them on the dangers of putting personally identifiable information on the Internet that can be used to acquire passwords or run scams. Make sure the data on their PCs is encrypted. Tell them how they can protect themselves when they’re traveling and accessing sensitive company information from a foreign network. Help them make smart choices.
Second, create clear and simple company policies regarding technology. Make sure your employees understand how and when they’re allowed to use personal devices on company networks. Make sure any changes to the network are reported or automatically logged. I once consulted for a semiconductor firm that, naturally, had very strong Internet security and a powerful firewall. However, one of its engineers added a wi-fi card to his desktop computer so he could access the network from other parts of the building. Unfortunately, this wi-fi card also allowed hackers to access the network from the parking lot.
Make sure your employees have passwords that are strong and are changed on a regular basis. Tell them the danger of using the names of their kids or their dogs (these details are easily found out on social networks); do not use “12345″ or the word “password.” Make sure employees know they should not leave passwords on sticky notes on their desks. (I’ve seen this too many times. Hiding something under your keyboard does not make it safe.) Create a protocol for how to deal with a lost or stolen device.
Then follow through. Routinely check to ensure that policies are being followed. Run low-cost phishing experiments—it’s amazing how many people still click on URLs in emails purporting to be from the email administrator, the CFO, or their bank. Occasionally audit computers and network log-ins for suspicious activity. Check peoples’ desks for passwords and other sensitive information. Establish consequences, and hold people accountable for failing to follow the policies.
Third, put somebody in charge of security. Big companies have armies of security specialists who work full-time on these issues and protect their company’s information. Obviously this is harder to pull off when you’re a smaller company without vast resources. But even small companies must give someone clear responsibility for security.
Leading security doesn’t have to be a full-time job, but it must be part of someone’s. You may need to invest in training or hire part-time consultants to help your security person get up to speed. Then be sure you give them attention and support when they want to make a change. Without focus and attention, security will suffer. And so may your company.
When it comes to security, being small is not a protection. It doesn’t take a lot of investment to put basic protections in place. But it does take attention and effort. Start now to protect your company, your employees, and your customers.
Leave a Reply