Many small and mid-sized businesses don’t believe they are likely targets for hackers or malware attacks. I believe this stems from a misunderstanding of what the hackers want. For organizations that believe they don’t really have data that would be valuable to an intruder the risk of an attack may be severely underestimated.
Many attacks are geared towards encrypting your data and then holding your data or IT infrastucture hostage in exchange for a ransom (this is called a ‘ransomware’ attack – the number one growing area of attacks) and in other cases they may want access to your systems for purposes of launching attacks against other organizations while masking the trail back to them OR to participate in massive Distributed Denial of Service (DDOS) attacks. DDOS attacks are where hundreds or thousands of previously hacked systems are leveraged to flood another organization’s web site or Internet connection effectively shutting it down from legitimate users.
In fact:
- 60% of attacks target small businesses
- Most attacks take minutes to succeed but weeks to discover (CNBC article)
- 55% of surveyed businesses with less than $10 million in revenue reported 1 or more breaches
- The average recovery cost to an SMB rose from $8,699 in 2013 to nearly $21,000 in 2014
- 33% of firms required three or more days to recover
- 60% of SMBs fail within six months hacked
*sources: National Small Business Association. The Poneman Institute for Data Security. Verizon. Symantec.
The bottom line is that most SMBs just do not possess the time, resources or the money to tackle issues surrounding information security. Until now (see below).
Just a sample of the things organizational leaders need to consider or know:
- Who has what permissions?
- What software is installed where and is it current?
- Have default passwords been changed on ALL devices?
- Does the current IT support staff need help or lack the specific expertise?
- Does the organization and/or current IT staff take security seriously?
- Has the organization secured somewhere the access and password information for use in an emergency or if IT support staff change?
- When was everything patched with the latest updates? (is this a monthly practice?)
- Is anti-virus installed AND up-to-date?
- Is there an appropriate firewall installed? Are there multiple sites to protect?
- Is the software on the firewall up-to-date (up to a million new threats crop up daily)?
- Is there credit card information, social security numbers or other PII (Personally Identifiable Information) stored on end-user systems?
- Are any of those end-user systems appropriately encrypting data at rest?
- Are regular network and security scans performed to to identify potential problems?
- Does anyone have access to systems or data they shouldn’t?
- What happens if someone loses a laptop or mobile device with information on it?
- Are any cloud-hosted systems or resources appropriately secure?
- Who is notified when users are added or access rights are changed?
- Are backups performed on a regular schedule? Is it an automated process?
- Is backup data appropriately stored off-site and is it quick and easy to access? Does the organization know what “quick and easy to access” means in the context of the modern tools that are available?
There are numerous things that can be done to help secure your organization’s systems. Just having a firewall and virus protection software isn’t enough. We recommend an assessment as a first step. We believe it is so important for organizations to at least get that done and to be able to ask questions that, for now, we will provide an initial assessment free of charge.
Note: CNN has reported that up to ONE MILLION new malware threats are released every day.
We’d like to help. The Brightworks Group is an Indianapolis-based IT Managed Services and Support firm founded and operated by senior level IT professionals. Brightworks is offering a FREE network security scan and technology state review.
The scan and conversation are free. Getting hacked isn’t!