The Good, Bad, and Ugly of Information Security for Small and Medium Businesses
Information security can be a scary landscape to navigate for small and medium businesses. Cyber criminals seem to be present at every turn and every time we read the news, some piece of formerly-trusted technology is being used to attack us or steal our intellectual property. While this all seems bad and ugly, there is some good to be had from the situation as well.
There has been an exponential increase in attacks against businesses in the last few years, and the pace of these attacks continues to ramp up. These attacks continue to increase in complexity with each iteration, with the tools and techniques becoming more sophisticated, resulting in confusion and frustration on the part of many businesses as to what should be done to handle them.
In the world of organized crime and international business, destabilizing businesses and conducting espionage is often a business in and of itself. These attacks are typically targeted at sensitive information by and about companies, often with the goal of gaining unauthorized access to intellectual property for purposes of selling to competitors. For example, in fashion and apparel companies this enables competing companies to produce quick knockoffs and get them to market more quickly than the original designs can be produced and released to customers. Once such information has been breached, the loss of strategic advantage and the potential damage to the reputation of these organizations is nearly impossible to quantify.
Worse yet, not only do we have to be concerned with our own security, but also the security of everyone we do business with, from one end to another of our supply chain, all the way down to our janitorial staff. As a stark illustration of this, we may recall the Target breach where attackers targeted tens of millions of the retailer’s customers’ personally identifiable information Ultimately it was determined that the breach stemmed from weak security on the part of an HVAC vendor (CIO.com).
Small and medium businesses are the latest target for such criminal efforts, unfortunately, such organizations are also among the most vulnerable. While larger organizations may have the resources to staff sizeable information security departments and data centers to fill with the latest and greatest security technologies, smaller organizations often do not have the luxury to afford this level of specialization, or the resources to maintain it properly, even if they could. Even small companies with no public presence can fall victim to sophisticated attacks, being cut down by attackers before they can even get off the ground.
The days when smaller organizations could avoid attacks simply by being cautious are long gone. Spam email now arrives in inboxes with proper formatting and very carefully crafted and grammatically correct English, and attackers are deep in our systems before we even see a hint that anything is wrong. Internet of Things (IoT) devices such as internet cameras and programmable thermostats can serve as an easy gateway into our back-end systems, enabling attackers to ultimately harvest the credit card numbers from our payment systems or alter data in other systems at will. In addition to the standard fraud and breach issues, this can result in second order attacks, such as altering a shipping manifest in order to send hundreds of items instead of the single one ordered and paid for, or altering the price of an item from a thousand dollars to a penny.
Economic Denial of Sustainability (EDoS) attacks against businesses tie up our time and resources in order to keep us from being able to conduct business and meet our critical goals. For example, attackers might work through third party systems such as our local utility or internet provider company in order to exponentially increase the total of our bill in their systems. Yes, the charges are clearly not correct and, yes, we can sort them out in the long term, but if we would like to have power or internet tomorrow we may end up paying the bill and spending resources on solving the issue, meanwhile not being able to meet our goals and deadlines.
In the same vein are ransomware attacks, such as cryptolocker. We arrive in the office in the morning to discover all of our systems are infected with malware and all of our critical files are inaccessible. If we don’t pay the ransom, we may never get the files back. If we do pay the ransom, we may or may not get them back in reasonable amount of time and decryption is a major hurdle. In the meanwhile, we can’t conduct business until we do something about the attack, one way or the other.
In the face of all of this bad news, there is a path forward for small and medium businesses. While this can all be massively overwhelming, we need to understand there is no such thing as being perfectly secure, no matter what the size of company we have or the level of resources we have to apply to the problem. What we do need to do is demonstrate we have taken reasonable steps to be as secure as we can be, and can show a reasonable level of due diligence in this area.
From a technical standpoint, we need simplicity over complexity. We need a set of systems and services working together smoothly in order to accomplish our goal of strong security. Implementing sets of isolated security systems will only take resources away from where they are actually needed, and will not provide us with the broad view and unified set of metrics we need in order to be successful in this area.
Particularly for small and medium businesses, a vendor who understands how all of these systems interconnect and communicate can be invaluable. We need to focus on the core competency of our business and not become distracted by the minutiae of running our security systems. While we may not easily be able to scale our expertise, we can certainly outsource the items we cannot or do not want to handle internally. Particularly in the case of expanding into international markets, these resources can help us to navigate the complex issues involved in operating in other countries and geographies such as navigating international rulings on data storage and sharing personally identifiable information across borders.
In the future, we will begin to see more security regulation in and among industries. A good example of this presently is PCI and SOC compliance. While these are not government or government mandated compliance efforts, they are most certainly part of the cost of doing business with larger companies. While such efforts may seem intrusive and cumbersome for smaller organizations, they do set the bar for a certain level of maturity, eventually becoming common practice and increasing the level of security for everyone.
We need to be willing to make the proper investments and take the necessary precautions to ensure the security of our businesses. Forming strong partnerships with companies on top developments in these areas can pay long term dividends.
Nick Belov is Chief Information Security Officer at CGS. Prior to joining CGS in 2016, Nick was Director, Information Security Risk Management for MUFG, Union Bank.
Nick has more than 15 years' experience in IT and security.