08/06/2015

By Scott Zoldi, Vice President of Analytic Science at FICO


A data breach for a small business can be devastating. In fact, it’s estimated that about half of companies are out of business within six months of a cyber breach. The costs aren’t just limited to the immediate theft or data loss but also include compromise to private intercompany communications and customers, vendor contract details, confidential business information and reputation, which all impact future income.

The internet has opened up the market for businesses; companies of all sizes and from any location can reach new and larger markets via ecommerce. This also means cyber criminals can attack businesses of all sizes anywhere in the world. Furthermore, in today’s environment small enterprises are increasingly reliant on the third-party services and an ever-increasing array of computing equipment in their operations. Both of which often fall under attack.

You will have heard about the attack on Sony and other major breaches because big companies make big headlines, but the majority of breaches happen to small businesses. In fact, more than 80% of breaches are estimated to occur to small businesses, which is troubling because small businesses are the most vulnerable and the least aware.

So, how do you secure an organisation with limited resources? The first priority is to not be an obvious target. 90% of attacks are associated with weaknesses in basic remediation, such as firewalls, default passwords, VPNs and double authentication. These simple steps ensure your business isn’t noticeably insecure. I can’t tell you how many times I’ve heard of companies’ security passwords being “password” or the company’s name. It just shows how a little extra effort can strengthen cyber defence considerably.

Secondly, if your business takes payment data and customer information then doing a PCI audit is critical. Businesses must always be PCI complaint, but you would be surprised at how many small businesses are still not there. This not only jeopardises customer information, but it opens a company up to sizeable fines from the associations and significant damage costs after a breach. If you have data at rest, ensure that it meets PCI so that if cyber criminals breach you, any data they find will be useless. A more secure option is to look into outsourcing services to process and protect the financial transactions, so that they don’t even touch your networks.

Additionally, here are some quick security fixes to ensure everyone in your business is doing as much as they can to prevent a security breach:

1. Don't let your PC go unprotected: Move off of Windows XP if you still have computers running it, as support and updates for Windows XP ended in April last year.

2. Coordinate policies with processes: Make sure everyone in your company is clear about your data-protection policies and what they can and cannot store on their personal computers.

3. Keep sensitive data safe: Do not use a general purpose computer to store sensitive data. For example, don’t use that computer to check email or surf the web.

4. Regularly review what information you store: Check over what information is being stored on your server(s), verify that any confidential or monetary data is sufficiently protected.

5. Maintain PC protection: Confirm that you have automatic software updates and antivirus updates enabled and ensure firewalls are maintained.

6. Plan ahead: Put a disaster recovery plan in place, including who to call when something bad happens, offsite backup in order to recover from fire, flood, physical theft, and hackers, and records of what (if anything) your insurance policy covers from down time and other costs associated with hackers.

7. Be in good company: Develop a relationship with your local government authorities before you need to call on them in a crisis.

8. Do your data homework: Collect computing logs and occasionally review them because they will prove valuable during incident response, helping you to learn what your computers normally do, respond to cyberattacks more quickly and potentially spot hackers before a damaging breach.

9. Consider managed security services: Advances in cybersecurity technology, including the use of more sophisticated analytics, can be difficult to keep on top of. Managed security services can ensure that you are as well-protected as larger firms.

10. Support cyber protection and knowledge sharing: We all need to share actionable data on cyber breaches so that experts can gain a community view of the shared threats that exist and hopefully fold those threats into an actionable analytic approach that reflects the real risk of cyber threats.

Once you have the fundamentals in place, the next step is to investigate some of the new breakthrough alternatives that will best protect your business, and your pocket. Today’s innovations include analytics or machine learning, and devaluation of data. If you are a small business, look into P2PE or tokenisation, which can be very cost effective. Securing a business today with a very small budget is challenging, but ignoring cybersecurity is no longer an option.