On Christmas Day, perfectly timed for the traditionally slow news week that leads into New Year's Eve, the cyber hacktivist group Anonymous apparently hacked the Web site and internal servers of security consulting and risk management advisory firm Stratfor.
Soon thereafter, the alleged attackers began publishing all sorts of confidential information, including the names of the company's clients. What's more, someone started using the credit card information obtained during the breach to make charitable donations in a vaguely Robin Hood-esque tradition.
Although the subsequent attacks that were threatened apparently have not come to pass, or least haven't yet been disclosed publicly, the incident caps a year of pretty serious cyberhacking. Sony and RSA were just two of the big companies embarrassed by extremely public incidents. As I was reading up on this topic, I discovered that there were 760 attacks in the past decade by just one Chinese firm. That's just one nasty organization. That should give you pause, because I can assure you there is more than one person out there in the world who would love to create trouble for your business.
So, even though I've already written about essential technologies for investment by small businesses in 2012, security is absolutely positively the most important infrastructure that small companies need to make.
Here are 5 reasons why:
- Smaller companies are more likely to be attacked than bigger ones. Don't believe me? Symantec.com, which keeps statistics on this sort of thing, suggests that 40 percent of attacks are against organizations with fewer than 500 employees, versus 28 percent against bigger companies. Remember, there are lots of people who could make trouble this way. Not just big groups with something to provide like Anonymous or LuluSec, but disgruntled former employees or business partners.
- Breaches are potentially business-ending events. Depending on the statistics you believe, the average cost of a breach or cybersecurity incident is about $190,000. Do you have that sort of money to lose? Even more serious: about half of small businesses still don't back up their data, so what is lost is lost forever. Which means your business might be lost forever. The Federal Communications Commission has published a useful cybersecurity guide you might want to consult.
- Can you be sure you are properly controlling the access of your employees and business partners? This will only be a bigger factor, as personal tablets and smartphones become more commonly used as business tools. Improperly managed client-side software is one of the biggest known cybersecurity threat, allowing people to see information that they really shouldn't be able to see AND allowing rogue malware to enter your infrastructure. I am dealing with an problem like this right now. Even though certain files I post to my non-profit's web site are "gated," for some reason, they can be accessed publicly if the right link shows up in a Google search.
- Attacks could ruin your company's reputation. I know that they say all publicity is good publicity, but think about how embarrassed Stratfor must be this week. After all, this is a security consulting company. According to the reports about the incident, the reason that the hackers were able to steal so much data -- up to 200 gigabytes -- and make use of it was because certain information was not encrypted. Stratfor should have known better, and so should your company.
- Your company could be putting its best customers at risk. In assessing the security risks for their business, some owners and managers fail to consider that it isn't just your own data you need to worry about, it is that of your customers. Anyone involved in healthcare already has this mantra beaten into their brain, but any company that engages in business-to-business activity with much larger businesses needs to consider their needs as the driver for their own security plans.