Small Business, Big Breaches
While data breaches involving large organizations dominate the news cycle, small business owners are at equal or greater risk for several reasons. First, small businesses are less likely to have the resources or in-house expertise to defend against ever-evolving threats. Second, malicious actors view small businesses as an attractive entry point to infiltrate larger enterprises. Third, once an intrusion has occurred, the financial and reputational damage to a small business can be especially devastating, especially without cyber insurance.
Rapid technology development makes it especially challenging for business leaders to recognize current threats, let alone anticipate future risks. Further complicating this trend is the proliferation of Internet-of-Things (IoT) and smart devices. Any device connected to the Internet is expected to be probed by automated scans within minutes, identifying the device and its operating system. If known vulnerabilities already exist, it can be quite trivial for a novice hacker to exploit them. Just last month, 11 distinct zero-day vulnerabilities in an IoT operating system were disclosed, impacting over 200 million devices. Given that most users still fail to keep a few personal devices regularly updated, adding IoT devices to a home or business exponentially increases the likelihood of a cyber intrusion.
Rather than struggle against the latest technology and highly trained security teams, attackers often choose easier victims who already have established relationships with their target organization. Small businesses are attractive because they are less likely to follow best practices when it comes to consumer privacy and information security. For example, Target’s breach in 2013 illustrated how vulnerabilities in a third-party vendor can ultimately result in attackers gaining access to another organization’s internal network. This enabled them to control Target’s servers, manipulate point-of-sale (POS) systems and extract customer data.
Overcoming the Data Addiction
A constant data flow has become an organization’s lifeblood—data recently surpassed oil as the world’s most valuable commodity. Large data collections are also extremely valuable to cybercriminals. Therefore, business leaders are encouraged to regularly evaluate the necessity of certain data, especially as it pertains to outside clients and consumers. Data minimization practices focus on reducing data breach impact by limiting the information that could be exposed when a breach inevitably occurs. When consumer data must be collected, it should be properly encrypted and anonymized. However, managers should also be aware that increasingly powerful analytics tools can identify individuals in data sets thought to be anonymized.
The good news is that challenges spawn new solutions, and the data breach epidemic is no different. There is a tremendous opportunity to strike a competitive advantage by overcoming the data addiction. For example, implementing a zero-knowledge approach to data through end-to-end encryption prioritizes consumer privacy and security. Businesses employing such strategies can instead focus on their core competencies and be honest about their data practices. Not only can this help improve the organization’s effectiveness, it can increase consumer confidence and trust.
Local Resources for Cybersecurity
Business leaders interested in evaluating their data security and consumer privacy practices are encouraged to contact Bradley University’s Center for Cybersecurity. We are focused on raising cybersecurity awareness in the Peoria region through several initiatives, such as observing Cybersecurity Awareness Month in October. (This year, our free Cybersecurity Day event featuring guest speakers will be held on October 23, 2019.) The Center also promotes engagement at local elementary and secondary schools, such as through the U.S. Air Force’s CyberPatriot competition. Plans are underway to eventually offer summer cybersecurity camps as well.
In addition, area organizations can obtain free security assessments conducted by the Bradley Red Team, comprised of upper-level cybersecurity students enrolled in an advanced ethical hacking course. Students are bound by nondisclosure and white hat agreements to ensure the client’s best interests are respected. Over an entire semester, the team researches the client, plans tasks and assesses the organization’s resilience to attack. Upon completion of the security assessment, the team reports the results and provides recommendations to the organization’s executive team. This not only allows the organization to obtain a free security assessment, but affords students the opportunity to gain real-world, hands-on experience prior to graduation.
Dr. Jacob Young is director of the Center for Cybersecurity and an assistant professor of management information systems in the Foster College of Business at Bradley University. Visit bradley.edu/cybersecurity or follow the Center on Facebook or Twitter @BradleyCybersec to learn more. PM