Mobile devices, as popular as they may be, are a multi-level security risk. The first level is the risk to data that resides on them, because few devices are protected by anything more than a simple screen lock. The second level is their entry point to an organization’s network, which is typically protected by only one authentication step, easily exploited by anyone that gains access to the device. The third level of risk is in the multiplicity of operating systems and hardware platforms in use today, which challenges any organization to find a single solution that will secure every device adequately.
This trend challenges small- and medium-sized businesses (SMBs) to secure an all-inclusive view of who is entering the network and what data or software resides on the mobile devices that touch it. It is even harder to create a well-controlled but user-friendly environment that protects sensitive business information while enabling the leverage of mobility.
Many large organizations possess the resources to assess and combat some security threats proactively, but countless SMBs find it increasingly difficult to protect their information assets. Unfortunately, conventional solutions are no longer enough to protect against threats capable of creating financial and operational burdens. Effective security solutions must continually evolve to incorporate advanced security technologies and security-conscious business practices. We know that SMBs must do a better job of protecting themselves – so what can be done to tighten the security around your business?
While few brand new threats have surfaced recently, there is no denying that the number of cybersecurity attacks has increased. Threats to businesses have grown more sophisticated and more difficult to combat. With the increasing popularity of social media, mobile workforces and web applications, businesses are not only being attacked more frequently and efficiently, but from many different sources. As a result, patches alone cannot keep up with cyber attacks. Some of the most threatening attacks have penetrated even well-defended networks in as little as two hours. Many targeted email attacks, often referred to as “spear phishing,” exploit end-user vulnerabilities in commonly used programs. Attackers also exploit end-user vulnerabilities when users visit infected web sites.
A growing concern is attacks on various web applications, because of the access they may offer to huge volumes of sensitive, marketable data within organizations that use them. Attacks on web applications constitute over 60 percent of the total attempted attacks observed on the Internet, according to the SANS Institute. In fact, web applications experience 27 attempted attacks per hour, according to a 2011 Imperva report. Often, hackers exploit vulnerabilities in trusted websites, converting those pages into malicious sites capable of spreading threats quickly. Many web site owners fail to scan effectively for the common flaws that make this strategy possible, leaving security responsibility to end-users who visit a web site expecting a safe experience.
SMBs understand the importance of implementing countermeasures to mitigate the effects of external threats, but security is a two-way problem – data leaving the organization can be as harmful as what comes in. For example, highly-regulated organizations, such as financial institutions and healthcare providers, or those who contract with them, face legal liabilities if employees send out sensitive client or patient information. Increasingly sophisticated mobile devices, both employee-owned and company issued smartphones and tablets, also present another concern. With these devices, employees can unknowingly transport information assets, viruses, botnets and malware across multiple computers and into the network, exposing your business to even more security breaches.
10 best practices to protect your business
The best practices below can help SMBs keep pace with evolving security threats. Though they may lack the resources of larger businesses, SMBs can work toward better security by doing the following:
1. Conduct a cybersecurity risk assessment, readily available from a reliable security provider. Identify, classify and locate your key information assets and create a strategy for what needs to happen should those assets fall under attack. Knowing what is in your network is critical to protection
2. Simplify security for end-users – lessening complexity in the security process increases end-user inclination to follow protocol correctly and consistently
3. Keep systems updated/patched – this includes operating systems as well as applications
4. Use business assets – such as company laptops and mobile devices – for business alone. In addition to an effective, internal security policy – and enforcement of that policy – internal risk levels can be reduced
5. Regularly run network audits to stay on top of log files, abnormal traffic and other tell-tale signs of infection
6. Develop and socialize policies and controls around what information can be stored on user desktops, laptops and mobile devices, as well as for how long, to ensure important data gets to storage devices that you can control and protect
7. Empower your network administrators to enforce your security policies, but be sure you are giving them the tools to do so
8. Don't lose sight of the big picture. Stay tuned to how threats and anti-threat solutions are evolving, identify issues before they turn into problem areas and proactively take the steps to guard against them
9. Maintain ongoing awareness programs to make network users aware of new threats; for some threats, the best defenses are user understanding and safe practices
10. In the event of a breach, keep all key stakeholders, such as management, employees, and customers, up-to-date. Good communication is critical when a breach happens
The list of security threats plaguing today’s businesses is never ending, and many organizations are hard-pressed to keep up to date on the latest vulnerabilities, let alone respond to them. With limited resources, SMBs must work especially hard to protect themselves. Using these tactics can help you reduce both internal and external data threats as well as help keep your data and, by extension, your business, safe and secure.
About CDW:CDW provides technology solutions for business, government, education and healthcare. Ranked No. 32 on Forbes’ list of America’s Largest Private Companies, CDW features dedicated account managers who help customers choose the right technology products and services to fit their needs. The company’s solution architects offer expertise in designing customized solutions, while its advanced technology engineers assist customers with the implementation and long-term management of those solutions. Areas of focus include software, network communications, notebooks/mobile devices, data storage, video monitors, desktops, printers and solutions such as virtualization, collaboration, security, mobility, data center optimization and cloud computing.