Cyber Security for Small Businesses

Before You Go

By Kai Pfiester, Owner of Black Cipher Security On Sep 26, 2014

Unlike major corporations, small businesses don’t have huge budgets to allocate towards bolstering their cyber security. However, small businesses are increasingly finding themselves under attack by hackers for this very reason. Hackers see small businesses as soft targets or what is deemed in the industry as “low-hanging fruit.”

Hackers have many motives for their attacks. The leading ones are:

• To steal ePII (electronic Personally Identifiable Information) such as Social Security numbers, credit/debit card information, dates of birth, addresses, names and drivers license numbers.
• To acquire login credentials for a business’ payroll system and bank account to redirect funds to accounts under their control.
• To encrypt all the data on the business’ computer systems and demand a ransom before the decryption key is released.
• To use the compromised machine(s) as a pivot point to launch further attacks on others so they can hide their tracks.

There was a time when anti-virus (AV) technologies alone were sufficient protection. Those days are long gone. Even the AV companies themselves are telling their customers that as a single solution, AV is not adequate protection. Hackers have devised quite sophisticated techniques to evade AV technologies. This is because AV is signature-based. If the AV software doesn’t have a signature for the attacker’s malware, it will go undetected.

Major IT security vendors realized they were making a serious mistake by offering technologies that only major corporations could afford to purchase. In the last few years, these same vendors designed new technologies to specifically serve the SMB market. One of the greatest new tools available is SaaS (Security-as-a-Service). This allows a business to outsource its IT security to an MSSP (Managed Security Service Provider) who manages the security of the company’s IT infrastructure over the Internet.

The hacker mindset is to attack the weakest link in the IT chain. So a defense-in-depth approach is best. This method creates multiple layers of defense that hackers have to overcome, which increases the chance of being discovered. A good place to start is to:

• Keep all operating systems and third-party software up to date and patched for security.
• Use both software/hardware-based firewalls.
• Encrypt both data at rest and in motion.
• Implement a policy that fosters safe usage of computer resources.
• Keep AV updated and do scans daily.
• Implement an intrusion detection system that will fortify a defense even further.

The degree of a business’ security should slightly exceed the importance of the data it stores/processes. If it stores/processes very sensitive data, its security should be more robust than a business that is merely trying to prevent someone from using its computer to attack someone else. If a business has a high-value client, it can reasonably assume it is a high-value target. It should want to defend itself accordingly.

About the Author: Kai Pfiester holds numerous cyber security certifications and is the owner of Black Cipher Security, a local IT security consulting firm. 

Related Articles: