Last week, during one of my CEO Peer Advisory meetings, two of my members reported that they had been hacked. One member’s website was taken offline. It was inconvenient, but, luckily, it was only for a short time, so it wasn’t too disruptive. Imagine my other member’s surprise, however, when the FBI knocked on his door and told him that his payroll data had been stolen and that the thieves were targeting his employees’ IRS refunds!
Obviously, it’s not just Target, Michael’s, Adobe, or other large companies. Companies of all sizes are at risk. I recently heard a saying, “There are two types of companies. Those that know they were hacked, and those that don’t.” It’s not a question of if it will happen to your company. It’s a question of when.
Here is an article published in Smart Business Magazine, written by one of my Vistage members, Damon Hacker, that discusses the importance of attitude in protecting your data. Damon is the Co-Founder, President and CEO of Vestige Digital Investigations, a Digital Forensics and IT Security professional services firm.
You can’t pick up a newspaper, business publication or magazine without reading about this month’s mega-data breach. “Stolen: 3.5 million credit card numbers, complete with contact information” and so on all seem like headlines detailing sizable losses coming from large corporations specifically being targeted for their treasures.
Unfortunately, each of these breaches were not the result of some large company’s loss. Instead, they occurred at companies with annual revenues under $50 million.
Let’s face it. Large corporations have data that is of interest to attackers, but they also focus on keeping that data secure.
While large breaches tend to dominate the headlines and are often accompanied with names of companies you and I recognize, the majority of data breaches occur at a level much lower. And these are only the breaches that are being reported. Baseline, in its article, “Data Breaches May Be Worse Than Reported,” found that 57 percent of survey respondents reported that they had experienced a breach but had not disclosed it.
The reality is that many smaller businesses are actually at a much higher risk for experiencing a data breach than companies at the highest levels. For the small and midsize business, we find two significant factors that contribute to the significance of breaches:
Time and time again we hear from business owners that they’re not concerned about the security of their information technology because they “don’t have anything of interest” to an attacker, falsely believing that this removes them as a target.
While that may have been the case 10 or 15 years ago, organizations today are a target simply because they have an Internet presence. On the low end attacks, an organization may be targeted simply for the use of its resources: disk space to allow the hacker to store his or her pirated software, music and video collection; or maybe the attacker is interested in the organization’s Internet connection to help disguise his or her identity as he or she launches an attack against another prized target.
Information security is truly one of those areas that, “You don’t know what you don’t know.” It is complex and a specialty in-and-of-itself.
The problem in most organizations is that the IT department is there to keep the systems running and to make them as easy to use for end-users as possible. This goal is mutually exclusive of security — where the goal is to limit access and make it as hard as possible for an attacker.
A secure approach has collateral effects on ease-of-use, which many organizations are unwilling to compromise, thereby making their systems more vulnerable.
In order to effectively address an organization’s IT security, business owners must understand that their organization is under constant siege. Regardless of size, attackers are interested in your organization’s resources.
If our homes and neighborhoods were under the same kind of attacks, there would be criminals rattling our windows and trying our doors to see if they could get in — every minute of every day.
We of course would not stand for that, but in the digital neighborhood where this activity is mostly invisible, we ignore it or turn our heads believing it isn’t occurring. Understanding the true threat is the first step in improving your organization’s security.
Now read Damon’s blog on how to keep your breach as low as possible.
Ready for more? Browse additional articles in Technology!