The sobering statistics of SMB cyber security.

In 2020, the Cyber attacker is not going to be going after the quantity of hacks, but rather, for the “quality” of attacks. In other words, they simply just won’t launch a specific threat vector en masse, but instead, they will pick a very select number of victims.

From there, they take their own sweet time to study them, and trying to learn as much as they can in terms of the assets they possess as well as their weaknesses and vulnerabilities. Once the Cyber attacker feels comfortable in achieving this task, he or she will then make their grand entrance into the system, without anyone even knowing about it.

From this point forward, the Cyber attacker will then “live” inside of the target for extended periods of time, in a covert manner. The goal now is to steal as many IT Assets as possible, but little by little, so that the target is totally unaware of it, until it is too late.

But apart from this, 2020 will also usher in a newer trend: Rather than trying to break into the walls of defenses of the Fortune 500, the SMB will now be the new target.

Why Don’t SMBs Take Cybersecurity Seriously?

So, why doesn’t the SMB take their own Cybersecurity seriously? It comes down to two primary reasons:

• Since it has been primarily the much larger businesses that have been broken into, many SMBs simply think that they won’t be the next target;
• Many SMBs are on a very tight budget, and because of that, they simply cannot afford to have all the sophisticated technologies and tools that a much larger company can have. But, with hosted security offerings making a huge splash now, this should no longer be an issue.

There are other reasons as well, which are as follows:

1. Because many SMBs tend to be quite small (say, perhaps 20 employees or less), a family like culture over time starts to evolve. Because of this, great levels of trust are often created, and from within this, a very lax and relaxed atmosphere soon starts to precipitate. In this regard, many passwords and login credentials are shared amongst one another. But an SMB owner just never knows when an employee can turn on them and launch an Insider Attack.
2. As just described, the lax atmosphere also transcends down into the overall IT security practices as well. For example, many SMB owners are aware of the fact that installing and deploying the latest software patches and updates onto their devices is very important, but this seems to take a very low priority until it is too late to do anything about it.
3. Because many of the SMBs have very tight cash flows, they cannot afford to pay elaborate perks or bonuses to their employees. Because of this, an SMB owner will usually offer some other sort of incentives, such as working from home, or telecommuting. But keep in mind that with this scenario, it is highly unlikely that the SMB has actually implemented deep layers of encrypted protection for remote access into their IT and Network environments. Because of this, an SMB employee will typically use an unsecured Wi-Fi connection (such as the ones found at Starbucks or Panera Bread) in order to login. This scenario is a huge honeypot for the Cyber attacker to tap into.
4. In a further effort to keep costs down, many SMBs do not issue company owned devices. Rather, they let their employees use their own devices to conduct their daily job functions, especially their own Smartphones (which is also known specifically as “Bring Your Own Device”, or “BYOD”). This, of course, is a huge recipe for a disaster to happen, as the employee’s own computer may not even have an ounce of security software installed onto them (such as Anti-malware and Antivirus applications).
5. A lot of SMB owners are very often lured into getting and using free services wherever and whenever possible. This is especially true when it comes to using Cloud based services. A typical example of this is the continued use of Yahoo and Gmail for business purposes. While they may be fine to a certain extent for personal use, these services do not offer enterprise grade level security for an SMB, especially when confidential documents or the Personal Identifiable Information (PII) of customers have to be transmitted over the Internet. Just remember this old proverb: You get what you pay for.
6. Apart from procuring hardware (such as servers and other wireless devices), one of the biggest expenses for an SMB is that of software application purchases. Because of this, many SMB owners, are tempted to find business application software packages from online stores such as those of eBay or Amazon. But keep in mind, the licensing that has been associated with them may have already been used (and thus cannot be renewed again) or have even expired. Many of the software providers such as those of Adobe and Microsoft have started to really come down hard software piracy and can even impose large fines and even criminal prosecution. Many of these software applications are now available on the Cloud, for a fixed and affordable monthly price for the SMB. A perfect example of this is the Office 365 from Microsoft, in which an SMB can deploy multiple, legal licenses for as little as $15-$20 per month.

Why An SMB Needs To Take Cybersecurity Seriously

Now that we have provided some details as to why an SMB does not take Cybersecurity seriously, the following statistics illustrate WHY one should take it seriously:

• 60% of all Cyberattacks are actually aimed towards the SMB;
• In a recent survey of 1,000 SMB owners, 85% of them believed that it is only the much larger sized corporations (such as those of the Fortune 500) that are the prime targets for the Cyber attacker. This finding gives credence to the very first reason why SMBs think that they are immune to Cyberattacks;
• 7.4% of SMBs have become a victim of large-scale fraud;
• There are, on average, 3.5 new threat variants posed to SMBs every second;
• The average cost of a Cybersecurity attack for an SMB is at $190,000;
• 58% of all Malware attacks are aimed at SMBs;
• 72% of all Malware attacks have slipped through the lines of defenses of an SMB;
• 40% of SMBs experience at least 8 hours of complete downtime after they have been impacted by a Cyberattack;
• 39% of SMBs claim that at least half of their IT Infrastructure is completely impacted after becoming a victim of a security breach;
• Only 35% of SMBs remain profitable after being hit by a Cyberattack, the others merely are forced to close permanently.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Want to learn more?

The NIST Privacy Framework will complement the popular NIST CSF

Data privacy and cyber security have a symbiotic and sometimes conflicting relationship. Without robust cyber security, it is impossible to ensure data privacy, as evidenced by the Equifax hack. However, it’s fully possible for an organization to seriously violate users’ data privacy despite practicing robust cyber security. To help government agencies and private-sector organizations better manage the risks of collecting and storing user data and bring privacy risk into parity with their broader enterprise risk portfolio, NIST has released a preliminary draft of the new NIST Privacy Framework, with plans to publish an initial completed version by the end of 2019.

The structure of the NIST Privacy Framework closely mirrors that of the popular NIST CSF so that organizations can use the frameworks together. “While managing cybersecurity risk contributes to managing privacy risk,” NIST writes, “it is not sufficient, as privacy risks can also arise outside the scope of cybersecurity risks.” The Cambridge Analytica scandal – which came to light when a former employee blew the whistle, not in the aftermath of a data breach – illustrated this in stark relief.

What’s in the NIST Privacy Framework?

Like the NIST CSF, the NIST Privacy Framework has three components, or tiers, which seek to reinforce privacy risk management by helping organizations connect business and mission drivers with privacy protection activities.

The Core component of the Privacy Framework is a set of increasingly granular activities and outcomes to encourage organizational dialogue about managing privacy risks. It contains five main functions; Identify-P, Govern-P, Control-P, and Communicate-P, are for managing privacy risks related to data processing, and Protect-P relates to managing privacy risks associated with privacy breaches.

Organizations will use the Profiles component of the Privacy Framework to self-assess their current privacy risk management activities or desired outcomes and identify opportunities for improvement by comparing them with a desired target profile. Finally, the Implementation component will help organizations determine whether they have sufficient resources and processes in place to achieve their target profile.

The Privacy Framework is technology-agnostic and “flexible enough to address diverse privacy needs, enable more innovative and effective solutions that can lead to better outcomes for individuals and enterprises, and stay current with technology trends.”

The need for a separate privacy framework

Mobility and connected everything have fundamentally altered the way we live and do business, and consumers now enjoy many conveniences from these technologies. Unfortunately, as the NIST Privacy Framework points out, these conveniences are made possible by data collection on a massive scale, and consumers “may not be able to understand the potential consequences for their privacy as they interact with systems, products, and services.” NIST goes on to say that organizations may not fully understand the consequences, either, and this could have severely negative effects on them in the long run.

Although no federal data privacy law is currently in sight, the California Consumer Privacy Act takes effect on January 1, 2020, and other states are passing privacy legislation modeled on the CCPA. While the NIST Privacy Framework will be voluntary, it seeks to implement some method to the madness and standardize the language around data privacy and privacy risk management.

Public comment on the NIST Privacy Framework draft will be open through October 24, 2019.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

A robust cyber incident response plan will minimize both damages and recovery time and ensure business continuity.

Proactive measures to defend against data breaches, malware, social engineering, and other cyberattacks are crucial to enterprise cybersecurity, but there’s no such thing as a completely impenetrable system. Despite your best efforts, your company could still be hacked; do you know what to do if that happens? A cyber incident response plan gives organizations a specific set of procedures to follow after a cyberattack, allowing security teams to respond faster and more effectively.

Unfortunately, many organizations either don’t have cyber incident response plans or have ineffective ones that aren’t clear, specific, or current. Here are five tips for developing an effective plan.

Begin with a current risk assessment

One of the most common shortfalls in cyber incident response plans is that they don’t address the specific risks the enterprise faces right now because they are developed using out-of-date or incomplete information. Be sure to conduct a thorough risk assessment before putting a plan together. Because both enterprise data environments and the cyber threat landscape are dynamic, you’ll need to conduct periodic reassessments and adjust your incident response plan accordingly.

Don’t develop your plan in a silo

According to research by McKinsey, incident response plans are often developed in organizational silos, where individual departments or business units prepare plans to mitigate targeted attacks. Unfortunately, this leaves the organization unprepared for an attack that spans multiple business units or even the entire enterprise. Make sure that all company stakeholders work together on incident response, and that the procedures address both types of attacks.

Clearly identify your stakeholders and their roles and responsibilities

Depending on an organization’s size, quite a few people can be involved in cyber incident response, from IT and security staff to legal and public relations personnel. Who is the incident commander? Who has the authority to take systems offline? Who notifies victims in the event of a breach, and how? Who handles press inquiries? Make sure that your plan specifies who is involved and what their responsibilities are.

Clearly define incident types and thresholds

Different types of attacks require different countermeasures. A high-risk or critical incident might warrant the full or partial shutdown of a system, but doing this would be overkill for a low-risk incident. Incident response plans should include a quantifiable method to classify cyber incidents according to severity.

Outline clear, specific procedures

Each incident classification category must be attached to clear, specific procedures outlining, in detail, what each stakeholder needs to do as part of the incident response. This includes internal reporting and documentation, investigation, containment and eradication, and recovery. Make sure the procedures outline when external parties, such as law enforcement, government regulators, outside legal counsel, and cyber insurers, need to be involved.

Developing a comprehensive cyber incident response plan is well worth the time and effort to minimize damages and ensure business continuity. According to the Ponemon Institute, companies that contain data breaches within 30 days can save over $1 million in recovery costs.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.