Verizon’s 2020 Data Breach Investigation Report indicates that cybercriminals don’t care how big or small your business is — they want your credentials and data regardless (and will do what they can to get them)
Data breaches can (and do) happen to all types and sizes of
businesses across every industry — and small businesses are no different. Verizon’s 2020 Data Breach Investigations Report (DBIR) reports that 28% of data breaches were experienced by small businesses in 2019.
businesses across every industry — and small businesses are no different. Verizon’s 2020 Data Breach Investigations Report (DBIR) reports that 28% of data breaches were experienced by small businesses in 2019.
While this may not sound like much, just take a moment to consider that the Small Business Association (SBA) estimates that there were 30.7 million small businesses in the U.S. as of 2019. That’s a whopping 99.9% of the businesses that exist within the U.S., and they’re responsible for employing more than 47% of the country’s private workforce!
The U.S. economy rests on the backs of small businesses, which means that every business, no matter how large or small, needs to take steps to protect themselves from cyber threats. In this article, we’re going to cover some of the top data security mistakes that small and midsize businesses make that lead to data breaches.
Data Security: The Top Causes of Data Breaches for SMBs
When it comes to strengthening your cybersecurity and data security efforts, there are lots of things small businesses can do well and places where they tend to drop the ball.
1. Small Businesses Believing That They’re “Too Small” to Be Targets
The biggest data security mistake that SMBs make is thinking that their business is too small to be targeted by cybercriminals. Just because your business is categorized as a “small business” doesn’t mean that cybercriminals are going to just magically choose to ignore it.
Considering that the U.S. Small Business Association (SBA) says that small businesses (depending on the industry) can have upwards of 1,500 employees or up to $41.5 million in annual receipts, there’s a lot of wiggle room in terms of what’s actually considered a small business.
Think that your business is too small to be worth the effort of cybercriminals? Think again. If your business has any type of data —
customers’ personally identifiable information (PII), employee credentials,
financial records, intellectual property, trade secrets — then they want it.
Like Smeagol and his ring, your data is Precious to cybercriminals.
customers’ personally identifiable information (PII), employee credentials,
financial records, intellectual property, trade secrets — then they want it.
Like Smeagol and his ring, your data is Precious to cybercriminals.
Why? Because they can use it to commit fraud, steal money, or sell to your competitors or other cybercriminals. Yeah, cybercriminals are greedy that way.
Simply put, neither you nor your customers can afford for you to be complacent about cybersecurity.
2. Not Providing Cyber Awareness Training to Employees and Other Authorized Users
In many cases, the social engineering awareness and cybersecurity savviness of your employees may be the only things standing between a cybercriminal and your most valuable data. This is why cybersecurity awareness training is a critical part of your organization’s cyber defenses. Education is what helps your employees understand and recognize the different types of social engineering tactics and cyber threats that lurk on the web.
Unfortunately, not all organizations recognize the value of offering such training. The results of the GetApp Data Security Survey 2019 shows that fewer than one-third of businesses provide social engineering awareness training to their employees. Furthermore, the business app and software discovery platform also reports that general data security and cyber security training are lacking at many organizations:
“GetApp’s recent data security survey found that 43% of respondents report that their company does not provide data security training on a regular basis; 8% reported never receiving training.”
But why is this training so important? Verizon’s 2020 DBIR states that cybercriminals are primarily concerned getting access to credentials and personal data from any organization regardless of its size. The reason they want to get their hands on your info is because it allows them to gain access to any accounts (and any systems those accounts have access to) that use those credentials. After all, it’s a lot easier for a cybercriminal to walk through the front door than it is to hack their way through a (fire)wall and into your network.
Some of the ways that they get this information is through business email compromise and phishing scams. Business email compromise (BEC) is a big and costly issue for businesses globally. The FBI’s Internet Crime Complaint Center (IC3) reports that it received 23,775 BEC complaints that resulted in more than $1.7 billion in losses in 2019 alone.
Proofpoint reports that a whopping 99% of the successful phishing attacks they observed in 2019 required human interaction. This means that the target did something that ultimately enabled the attack to be successful. In many cases, this involved employees not following cybersecurity best practices. Their bad decisions resulted in stolen credentials and data, malware installation, wire fraud, and a host of other issues.
3. Not Controlling or Limiting Access to Networks and Databases
Make no mistake: Cybercriminals want access to your data no matter how big (or small) your organization is. If external threat actors can get their hands on legitimate user credentials, they’ll use it to access whatever systems the compromised user accounts have access to.
But external threats aren’t your only problem. Sometimes, the biggest cybersecurity threats are those that come from within your own organization — what are commonly known as insider threats. Threats relating to employee behaviors are the top challenges reported in CyberEdge Group’s 2020 Cyberthreat Defense Report:
"The new #1 concern: detection of rogue insiders and insider attacks. A close second: user security awareness and education. Clearly, enterprises need to devote more attention to monitoring and educating their own people.”
Thankfully, there’s something that you can do to limit the reach of both internal and external cybercriminals and contain the damage they cause: implement access control. This process involves limiting access your network, databases, and other critical systems to only those individuals whose jobs actually require it.
This means that no matter how much James in Human Resources complains or says otherwise, there’s no reason for him to have access to your customer data. There’s a big difference between someone wanting or needing access to data — it’s critical that you recognize the difference and take steps to limit access.
Don’t believe us? There are multiple glaring examples of insider threats and external hackers using compromised credentials that have made headlines:
- A longtime structural engineer who worked for Rockwell and Boeing stole and sold sensitive information to the Chinese government.
- A Tesla employee used his access to export proprietary company data to
unknown third parties. - A hacker used the compromised credentials of a
third-party HVAC vendor to breach Target’s network, resulting in the well-known
2013 Target data breach. - Russian hackers used a third-party vendor, All-Ways Excavating USA, as an attack
vector to hack the U.S. power grid.
4. Not Performing Timely Updates and Patching
Running a business that operates on outdated legacy equipment is like fighting a battle while wearing crappy armor. You’re going to take a lot of damage and likely will succumb in the end without timely intervention.
Not updating and patching your system regularly leaves gaping holes in your cyber defenses. I’m talking holes big enough that a Mack truck could plow through them. To combat these vulnerabilities, manufacturers release updates and patches with the hope that they can plug those holes before they get exploited by hackers and other cybercriminals. (Think of Microsoft’s Patch Tuesday releases.)
But what happens if you don’t apply one of these patches in time? One of the most obvious examples of a failure to apply updates and patches was the 2017 WannaCry fiasco. Despite Microsoft releasing a patch that would eliminate a vulnerability in their legacy Windows operating systems, organizations and businesses of all sizes globally found themselves the targets of a mass ransomware attack because of one simple fact: They didn’t apply the patch.
Another big example was the Equifax data breach. That particularly devastating breach exposed the personal and financial data of hundreds of millions of consumers in the U.S., Canada, and the U.K. If the credit reporting agency had applied a web application vulnerability patch when it first became available two months earlier, they likely would have avoided a data breach altogether. But you know what they always say — hindsight is 20/20.
Image source: U.S. Securities and Exchange Commission. The data in the table above reflects a summary of the data that was stolen in the Equifax data breach concerning the exposed U.S. consumers.
5. Not Adopting a Defense-in-Depth Approach to Cybersecurity
Cybersecurity isn’t about being 100% impervious to attack — it’s about making yourself a tougher target than the guy next to you. If a cybercriminal has the choice of trying to hack your highly fortified network or the vulnerable network of your competitor, which company do you think they’re more likely to set their sights on? I’ll give you a hint: It’s not the company with the virtual steel-reinforced barriers and bazookas.
Unless you know something that the rest of the cybersecurity world does not, it’s simply not possible to prevent every cyber attack. And there’s no single tool or method that can make you 100% resistant to cyber threats. But having a defense in depth strategy is key to making your small or midsize business a tougher target… and that’s all that anyone can hope for.
Defense in depth, a term that originated in military circles, is a holistic approach to shoring up vulnerabilities and protecting your data. It’s a combination of tools and strategies that aim to detect threats and mitigate them. The idea here is to manage risk with diverse strategies that can step in where another layer of defense fails.
According to a report shared on the US-CERT website:
“Layering security defenses in an application can reduce the chance of a successful attack. Incorporating redundant security mechanisms requires an attacker to circumvent each mechanism to gain access to a digital asset.
For example, a software system with authentication checks may prevent an attacker that has subverted a firewall. Defending an application with multiple layers can prevent a single point of failure that compromises the security of the application.”
What You Can Do to Protect Your Small Business
Okay, so you know some of the big ways that SMBs are dropping the ball. But what can you do to make sure you’re not fumbling as well? Some examples of defense in depth tools and approaches that you can put into action include:
- Making applying updates and patches a priority to keep your software applications, operating systems, servers, and other IT infrastructure up to date (and as secure as possible).
- Implementing network perimeter defense tools and processes (firewalls, antivirus and anti-malware software, network segmentation, etc.).
- Using automation tools and technologies to detect threats (IDS/IPS, SIEM tools, etc.).
- Filtering web and email traffic.
- Limiting access to only authorized individuals (maintain access lists, implement a policy of least privilege, use client authentication certificates and multi-factor authentication tools, etc.).
- Evaluating your vendors and their cybersecurity policies, processes, and procedures.
- Providing employee training and enforcing policies and procedures.
Another critical component of strong data security (and cybersecurity) is properly configured and managed public key infrastructure. PKI, as it’s otherwise known, as an overarching system and framework that encompasses policies, processes, procedures, and technologies that authenticates parties and secures all of the data that you send and receive online.
This includes all types of data — everything from website transactions and emails to mobile apps and software.
But what if you’re a small business (even by the SBA’s small business standards) that can’t afford a bunch of fancy tools and multiple IT employees to use them? You’re not alone. There are plenty of companies in your shoes.
However, the good news is that you can still plenty of ways you can protect your business without a big team. Another option, too, is to outsource your cybersecurity needs to a managed security as a service provider (MSSP).
Regardless of the approach you choose, doing something to protect your small business is better than doing nothing. Do everything within your power to make yourself a more challenging target than other SMBs.