In the rapidly changing world of technology, data security remains a top concern for small business owners. As technology becomes more sophisticated, however, so do cybercriminals, who have become more tenacious than ever in their attempts to break through security walls and steal company data and funds. Below are three types of new and emerging threats to data security of which small businesses need to be aware, and tips on how business owners can protect themselves.
While convenient, Bring Your Own Device (BYOD) poses a slew of threats to data security. To steal information, hackers have created new ways to exploit the vulnerabilities of employee-owned devices and their users.
One emerging trend today is a new form of phishing called SMiShing, said Steve Brunetto, director of product management at Edgewave, a Secure Content Management (SCM) solutions developer.
“In SMiShing, cybercriminals use Short Message Service (SMS) to contact users and ask them to click on a malicious link,” he explained. “Once clicked, a malicious app download is triggered, taking the user to an infected website.”This website then enables attackers to collect login information, passwords and other confidential data.
Hackers can also get into employee-owned devices using another tactic known as app repackaging. “App repackaging involves cybercriminals injecting malicious code into a legitimate app and then reloading it to a third-party site,” Brunetto said. Unsuspecting users then install the app, exposing their devices to undetected data theft. App repackaging allows hackers to collect user data, change device settings and even control the device from a remote location.
To protect themselves from BYOD malware, Brunetto encourages small businesses to make sure every device has a secure browser that offers frequent security updates. Businesses should also employ Mobile Device Management (MDM) tools that give them visibility and control over devices accessing their networks, including the ability to locate lost or stolen devices and remotely wipe them of sensitive data.
He also advises businesses to establish clear BYOD usage policies that employees both understand and follow. It should also address critical issues such as password protection, third-party software and the risks of downloading apps that aren’t from a trusted provider. “The policies should be signed by each employee, and training should be adopted to make sure there is organization-wide understanding of the importance of abiding by them.”
Identity theft doesn’t only apply to individuals. Today, small businesses everywhere are a prime target. Unlike large corporations, small businesses often have the perfect combination of having enough funds to entice theft and not enough security to protect them.
“The real change in threats over the past few years has been the level of targeting,” said John Pescatore, director of emerging security trends at SANS Institute, a leading computer security training and certification center.
Instead of targeting companies as a whole in hopes of damaging anything they randomly hit, attackers are now researching key personnel, such as CEOs, CFOs, email and database administrators, and webmasters. With the amount of public information available online, attackers are well-equipped with the knowledge they need to cater messages to these individuals and lure them into clicking.
Attackers send very targeted emails – such as ‘Hi, Sally - great time in that 10K race! Attached is a picture of you at the finish line’ – which lead to very targeted malicious executables getting installed on those people's PCs or laptops, Pescatore explained. “They compromise PCs, then communicate out to the cyberthieves and get instructions to siphon databases of financial accounts, intellectual property, customer information, et cetera,” he said.
To prevent company account takeover via identity theft, small businesses should implement security measures that go beyond password protection.
“Security experts agree that the best way to protect an identity from being hacked is to move out the authentication process to a device that is not connected to the Internet,” said Stina Ehrensvard, CEO of Yubico, the creator of Yubikey two-factor authentication. Near Field Communication (NFC), where two devices centimeters apart can communicate and transmit data between one another, enables secure login and payments. NFC is now integrated in more than 100 million mobile devices, a figure that's growing.
Pierluigi Stella, chief technology officer and founder of Network Box USA, a Houston-based computer security provider, also offered this advice to businesses: Make everyone follow the rules. Most hackers are able to permeate company networks because employees let them. In some organizations, even after the IT team has blocked access to malicious emails and websites, exceptions are often made for higher-ups, such as C-level execs who demand free reign.
“The most important recommendation I can give someone today is do not give in to your executives' presumption of innocence,” Stella said. “Lock your network and also block browsing for the higher ranks, as no one is truly exempt from possible issues and the ones caused by the C-levels are the worst issues your company could get into — if a hacker puts his hands on your company's bank account access codes, your company might be history."
Think insurance has you covered? Stella warns that banks won’t always release companies from liability if their funds are stolen. “Banks are starting to react,” Stella cautioned. “If they can show gross negligence on the way their customers are protecting their access information, they may be able to push that responsibility back to their customers. So, watch out, because the next time your bank sends a wire to Lithuania on your behalf, you may be held liable for it if the bank can show that hackers stole your credentials because you did not protect your network properly.”
Increasingly, threats to data security are coming from inside the company itself. Although IT people secure the network from outside access, many companies fail to look at security holes within the organization. As technology becomes more complex and specialized, companies tend to rely on their IT providers to block access from outsiders, without realizing that security dangers are lurking between their own walls. Consequently, employees, vendors and even suppliers to vendors leak data, provide unauthorized access to others and engage in other risky behaviors that compromise the company, whether or not they intend to. And cybercriminals know about these security flaws all too well, said Rob Fitzgerald, data security expert and president of the Lorenzi Group, a data security provider.
“Professionals know that most businesses are locking down the outside, but leaving the inside wide open,” he said. Fitzgerald said one of the most effective ways to tighten security and create safer work environments is to implement security analytics solutions, while continuously monitoring security systems. Companies should always verify who is on their network at all times and why. “The rise of data misuse is alarming. In some situations, IT simply needs to re-evaluate their security policies. In other situations, IT needs to lock down data. By proactively monitoring for anomalies and risks, companies can reduce their data security risks while improving their operations.”
For immediate protection, Fitzgerald recommends that small businesses continually educate employees on what is considered acceptable and unacceptable use on the company’s network and associated devices. Small businesses should also encourage employee input and assistance to be their eyes and ears to prevent and minimize risks. Data security is a company-wide effort that requires the cooperation of all employees and vendors, both to safeguard the company’s interests and to protect their own.