Cyber-attacks on both private and government organizations happen on a daily basis. Many are publicized, but a far greater number remain undisclosed or worse – undiscovered. These hackers range from those looking to gain information for competitive reasons, to criminal breaches for monetary gain, malicious intent, or even just trawling for information to be used for a wide range of adverse activities.
Isn’t this only a threat to large organizations? No, even small businesses are at risk. There are 30.2 million small businesses in the United States (according to the U.S. Small Business Administration). The majority lack the money or resources to respond to, or recover from, security threats. According to smallbiztrends.com, forty-three percent of the known breaches in 2018 impacted SMBs. Yet 75% of small businesses have no cyber risk insurance.
Cyber-attacks are growing at an alarming rate and show no signs of slowing down any time soon. The level of risk and effect is also diverse, from simple theft and extortion to stealing confidential information and data sabotage. Why does this keep happening? Because it can go undetected with repeat instances, leading to long-term effects to both your operations and finances.
In-house Security Threats
Is this threat only coming from outside my company? The most alarming thing is that the greatest risk is from your own employees (or, more likely, ex-employees). Over 77% of small businesses don’t have in-house security policies; it’s not surprising that they experience significant data theft, which is typically then sold to the highest bidder (possibly a competitor). In the case of disgruntled employees, simple data sabotage is also prevalent with critical data altered, misplaced, or deleted. Larry Ponemon, chairman of the Ponemon Institute, an information security research center in Michigan, says, “the costliest data breaches are usually those that are created by a malicious insider who has access to things external hackers generally don’t have access to.”
How to Prevent Data Breaches
So how can we protect ourselves? System security technology for identifying of potential breaches can be installed and repeatedly updated. But for small businesses with limited budgets, data protection can be a simple matter of common sense defense strategy to mitigate risk. These three essential steps can help:
- Review where your data is being stored, who has or needs access to it, and what they should be allowed to do with it, depending on their role in the organization.
- Come up with simple, effective information security controls and, if possible, an automated 24/7 security monitoring system.
- Implement both scheduled and ad-hoc Audits and operational Reporting.
This may be enough to stop attempted hacks, especially from the greatest internal threats, and will definitely provide the basis of a clearly defined risk mitigation plan. If implemented effectively, this plan will minimize your data risk and loss exposure.
Good Enterprise Content Management = Cyber Security
One simple and relatively inexpensive solution is a Content Management system which incorporates all the feature functionality critical to developing comprehensive protection for your information.
The ideal solution should provide a private filing structure and repository that enables you to set up automated access control. Based on the users and groups already available from the Net Operating Security System (NOSS), the best solution will provide the ability for a security officer to decide who can and cannot see – or have access to – any applicable part of the filing structure. Simply put, if you don’t have access to that part of the filing structure, it’s not visible to you.
Once granted access to a particular filing structure, you should then be able to apply document rights and privileges. After granting access to users, you can define what they can and cannot do with the document.
On-Premise, the Cloud, and Safety for Your Files
Different types of storage should be available (cloud, on-premise, hybrid, and archive) for the best content management system, so that you are able to associate different types of storage options with parts of the repository. No matter whether your documents are in transit or in storage, the information must remain encrypted. In this case, if someone goes straight to the storage location, bypassing the application, and then selects a document or file format, it can’t be opened. Only by going through the application and being validated by the security system will the information then be unlocked and made available on that user’s device.
Minimizing access to documents can also be done with automated workflow processes so that it is only seen by those who are required to process it. If a change is authorized, then the system should have the ability to automatically generate version revision control. This provides the ability to see the document in any previous or current part of its life cycle.
All of these features so far are “passive,” in that, they are set and the system either allows you to do something, limits your options, or bars you altogether.
Active measures to stay updated
There must be an active security measure then, right? We have that in automated notifications. Monitoring policies that automatically provide an instant email notification once an action takes place. For example, you can provide access to a highly confidential document or critical piece of information to a set number of people, and the system will automatically notify you when someone opens it, modifies it, and or carries out literally any action on it.
The audit report generating tool and the notifications system will together give you constant updates of any action within the system, who carried it out, when it happened, and what part of the document it applied to.
Data risk mitigation for small businesses can be implemented relatively quickly and inexpensively with Enterprise Content Management. It can provide you with multiple levels of defense against hackers, whether they’re inside or outside your organization. In the very unlikely event that they are able to breach the system, proper Enterprise Content Management will provide clear immediate indicators and a description of the intrusion.
This article was originally published as How do I prevent a Cyber Attack on my Small Business Data by Joe Wharram on August 24th, 2016.