QUESTION: Most large businesses probably have some kind of information technology (IT) security program in place. Is this something small businesses should have as well?
ANSWER:
Well, it may be surprising, but even many large businesses struggle with having even an adequate IT security program in place. Large or small, companies definitely need to make sure they are addressing IT security. Companies may feel like they are not targets for cyberattacks either due to their size or that they feel that they don’t have anything worth stealing. The reality is that only a small percentage of cyberattacks would be considered targeted attacks, meaning the attacker group is going after a specific company or group of companies in order to steal specific data. The majority of cybercriminals are indiscriminate in whom they attack. They target vulnerable computer systems regardless of whether the systems are part of a Fortune 500 company, a small business, or belong to a home user.
Q: Do you find that businesses generally underestimate the security threat against them?
A: Yes, for the most part this is true. Certain organizations that have regulatory requirements to assess and manage IT security risks (e.g., banking, health care, Department of Defense) have a pretty good handle on their IT security exposures. Most other businesses, unless they have a mature and dedicated IT security function that is periodically performing risk assessments, are probably several years behind in understanding emerging security risks. Everyone recognizes how quickly the technology landscape changes; however, it seems that they underestimate how quickly the cybersecurity landscape also changes. The security products that people bought to combat threats in 2010 are likely unable to detect or prevent the classes of attacks we are seeing today.
Q: In addition to keeping firewalls and other software up to date, how important is it for businesses to train their employees in security principles?
A: This is one of the most important aspects of any IT security strategy and unfortunately also one of the most overlooked. Too often I have seen companies focus all their money on buying the best security technology on the market and hiring the best security people they can find, only to overlook one of their key assets and at the same time one of their key vulnerabilities: their people. Unlike computer systems, you can’t just deploy a “patch” to your employees to make them more secure. Organizations need to make sure that employees are routinely educated on new and emerging threats and the best way to identify and report suspected incidents.
Q: Does a company become more vulnerable to attack if it allows its employees to access online social media sites while at work?
A: I would say that it certainly increases a company’s risk exposure primarily because cybercriminals will try to leverage any aspect of technology that has a large user base. Recent Nielsen rankings showed that U.S households spent 906 million hours per month on social networks and blogs. The next closest category was games, with 407 million hours per month spent. As the average user spends more time online using social networks, we are seeing cybercriminals shift their focus to developing sophisticated attacks targeting social networks. It is very important to note that whether we’re discussing social media websites, regular websites, or mobile computing, the larger the user base the more likely that platform is to be targeted. These days I would say you are probably more likely to be infected by doing searches on Google or Bing than you are from a social media site.
Q: How much do companies typically spend on IT security?
A: On average, we see organizations spend between 3 percent and 6 percent of their overall IT budget on IT security.
