It's an unfortunate reality that can't be ignored: Although committed successfully against only a small percentage of the millions of businesses in the U.S., data theft is lucrative to perpetrators and damaging to corporate finances and reputations. On another front, the system paralysis caused by denial-of-service attacks is a satisfying turn of events for anti-corporate activists, unscrupulous competitors or even disgruntled former employees.
The risk of a cyber attack is actually rising for midsized firms. As the largest companies boost their cyber security, midsized and smaller businesses are becoming a greater focus of cyber criminals. Verizon's Data Breach Investigations Report found that nearly 6,000 security incidents occurred at companies with less than 1,000 employees in 2013. The only way to fend off such attacks is regular system testing, coupled with comprehensive training and monitoring of employees in their online working habits.
Focus on the Weak Areas
Cyber security should begin with employee-focused protocols. Network intrusions most often exploit employee mistakes: Clicking on a phishing email or a fake advertisement can lead to ID credentials falling into the wrong hands, for instance. Password protocol should also be near the top of your security checklist. Don't leave the changing of default passwords for all hardware and software assets (and especially wireless access points and point-of-sale systems) to departmental employees alone. All employee passwords should be changed on a regular basis. Also, consider implementing two-factor authentication (which sends a second password to an employee's cellphone) or password-manager programs.
Other recommended protocols include regularly updating anti-virus and anti-spyware programs; installing system updates (containing security patches for evolving threats) whenever they appear; ensuring the automatic-update function is activated for applications such as Adobe Acrobat, Java, Flash, Apple QuickTime and any others employees regularly use; and disabling the image-preview feature in email systems (a main avenue for malware and spyware incursions).
Choose the Right IT-Focused Diagnostics
Vulnerability scanning is a process that involves documenting every potential weakness in a software or hardware system. However, this produces so much data that it would take IT personnel months to figure out which weaknesses actually represent tangible threats to the system. Alternatively, penetration testing allows a company to assess vulnerabilities using real-world exploits. This helps IT personnel evaluate the potential for each system to be subverted through hacking or malware schemes (the same methods attackers employ). This process also tests your present defense mechanisms.
White-box and black-box testing offer another security option. White-box testing applies to proprietary company software. It tests the application at the source-code level, making sure that no line of code contains an error that can be exploited. Given that the vast majority of software used by midsized firms is from third parties, however, black-box testing is perhaps even more important. This helps IT personnel evaluate outside components being considered for integration into the company's system for which original source code is not available. Black-box testing allows IT personnel to find any repairable and nonrepairable security flaws and then make informed decisions about whether to use certain third-party products within the firm's system.
Lastly, many companies aren't even cognizant of the number of outside-facing technology portals they have. For instance, there could be legacy marketing or temporary-initiative sites they've long forgotten about. For this, perimeter testing creates an inventory of all externally facing web applications — not just customer-facing sites, but also employee- or vendor-focused applications — and then scans for vulnerabilities, gauging the risk of each one. For mobile apps a firm creates or downloads, security scans identify malicious capabilities, as well as common coding vulnerabilities, before conducting behavioral analysis to reveal if data exfiltration is possible through the app.
How can you get your employees on board with cyber-security efforts? Let us know what you think by commenting below.
Rob Carey is an NCMM contributor and a features writer who has focused on the business-to-business niche since 1992. He spent his first 15 years at Nielsen Business Media, rising from editorial intern to editorial director. Since then, he has been the principal of New York–based Meetings & Hospitality Insight, working with large hospitality brands in addition to various media outlets.