Hackers Target Mid-Market Companies--"Easy Targets" Compared to Enterprises
Mid-market IT executives should be taking steps to improve their security at an accelerated pace, in response to trends noted in a popular data breach report. An annual study by Verizon shows that hackers are changing their targets and tactics. Instead of attacking large, well-funded enterprise organizations, they are now pointing their weapons at midsize companies. A recent article in CSO magazine discusses the changes.
According to Wade Baker, security research director for Verizon, cyber criminals were mass producing attack techniques for use on "easy targets." The Verizon 2012 Data Breach Investigations Report was conducted by their RISK team in concert with law enforcement agencies in Australia, the Netherlands, the United Kingdom, and the United States.
"Cyber criminals have figured out that if their goal is to make money, attacking a large organization that's well defended and probably has ties to law enforcement that is going to pursue them, is a high-risk solution," Baker said in an interview. He contrasted that remark by adding, "Mass-produced, commoditized attacks against smaller organizations with fewer defenses is a very low risk [for hackers and organized cyber criminals]."
What IT Executives Should Be Doing Now
For many senior business executives, security can sometimes be viewed as a "nice-to-do" expenditure. The Verizon report shows trends and evidence that indicate that security should be considered a top agenda item for business and technical executives.
But developing a security strategy and deployment roadmap must be balanced with what the business can reasonably afford. In regulated businesses, compliance requirements such as PCI, Sarbanes-Oxley, Gramm-Leach-Bliley, and HIPAA can escalate the argument for higher levels of security and protection.
Many security teams are using risk-ranked strategies to evaluate and prioritize investments that address the most probable and most damaging threats facing the business. Key considerations for every business include steps such as written security policies that require complex passwords with 10 or more characters and lockouts after 2-4 unsuccessful attemps, high-quality antivirus and anti-malware software, and effective and frequent security training and awareness programs.
Once security bases and basics are covered, steps including effective and continuous patching and change management policies and tools, and careful evaluation of the access privilege model must be considered.
These are minimum requirements for any organization, and they must be implemented and reviewed on at least an annual basis. More advanced steps vary and are dependent upon the nature and substance of the business. If you develop or purchase custom-developed software, secure coding and security testing become critical considerations, especially for web-centric businesses and those that conduct and connect applications to the web. Tools and practices for security, such as the OWASP model, should be required.
Recognizing, measuring, managing and responding to risk are important success factors for every business. But more complex businesses, more distributed businesses, and those with high levels of mobility and mobile access require even more protection from policies, protection, monitoring and tools. For midsize businesses, the Verizon report and the CSO article indicate that risk management and security should be examined, reevaluated and strengthened to assure appropriate levels of business and technical protection.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.