No business is too small to evade a cyber-attack or data breach: That finding of a Ponemon Institute study focused on the cybersecurity threat to small and medium-sized companies (SMBs).
In fact, 55% of SMB respondents said they experienced a cyber-attack in the past 12 months, and 50% of companies represented in this study had a data breach during the past year. The most prevalent attacks against smaller businesses are web-based and phishing/social engineering.
That said, negligent employees or contractors and third parties caused most data breaches: 41% of survey respondents have been impacted by third-party mistakes. However, almost one-third of companies in this research could not determine the root cause. This points out that many of the current technologies cannot detect and block many cyberattacks. Most exploits have evaded intrusion detection systems and anti-virus solutions.
"This data doesn't come as a shock. Soha Systems did a survey in May that found 98% of respondents do not consider third-party access a top priority in terms of IT initiatives and budget allocation,” said Soha Systems CISO Mark Carrizosa, via email.
He added that the management of third party access lifecycles has become one of the most tedious and time consuming efforts within enterprise IT/security functions. What's worse, third-party access methodologies have changed very little in the last decade.
“In fact, a quick-fix process commonly used today provides third party vendors with the same access as employees and contractors,” said Carrizosa. “This method has made third party access low-hanging fruit that easily allows bad actors to exploit a company network…bad actors understand where the weak points are and are actively exploiting."
The study also found that personnel, budget and technologies are insufficient to have a strong security posture. As a result, some companies engage managed security service providers to support an average of 34% of their IT security operations.
Also, determination of IT security priorities is not centralized, the report found. The two functions most responsible are the chief executive and chief information office. However, 35% of respondents say no one function in their company determines IT security priorities.
And finally, cloud usage and mobile devices that access business-critical applications and IT infrastructure will increase and threaten the security posture of companies in the study. However, only 18% of respondents say their company uses cloud-based IT security services and most password policies do not require employees to use a password or biometric to secure access to their mobile devices.
The news comes as The PCI Security Standards Council (PCI SSC) launches resources specifically for small businesses. That group also noted that small businesses don’t have the resources or technical know-how to protect payment card data against theft. With simple diagrams and everyday language, the resources are designed to provide a common point of understanding between merchants, their banks, payment processors, and merchant vendors on why and how to protect against payment data theft.
Photo © Kenneth Sponsle