NEWPORT, R.I. – The Pell Center, in collaboration with CAI Managed IT, recently hosted a seminar on “Cybersecurity and Your Business: Security Strategies for SMBs.” The event, part of the Pell Center’s Rhode Island Corporate Cybersecurity Initiative (RICCI), brought together representatives from over 20 different organizations across the state to explore cybersecurity and business continuity solutions for small and medium-size businesses (SMBs).
Securing a business against increasingly sophisticated and frequent cyber attacks, computer viruses, hacked websites, or even a well-intentioned but careless employee can seem daunting, particularly if an organization is of modest size and does not have a “crack team” of cybersecurity experts on staff. During the seminar, Mr. Motta, Executive Vice President of CAI Managed IT, pointed out that while “in a matter of few years, the Internet has consolidated itself as a very powerful platform that has changed the way we do business and the way we communicate,” it has also opened the door to vulnerabilities of staggering proportions. Public and private-sector organizations alike have been victims of cyber thefts of sensitive information, breaches of privacy, cybercrime, and cyber disruption (e.g. denial-of-service attacks). Mr. Motta reminded the audience: “if you think your industry is exempt, you should think again!” Moreover, he cited various statistics reporting an astonishing increase of cyber attacks against SMBs—according to Symantec, for example, cyber attacks on small businesses have skyrocketed by 72% in the past 18 months. “Cyber criminals are now starting to focus more on soft targets, especially small businesses, which represent easier targets, with less protection and less resources,” he continued. Indeed, after a spate of high-profile cybersecurity breaches at major companies like Target and, more recently, Home Depot and JPMorgan Chase, the biggest players generally have strong protections, both in terms of technology and staff, to wall off their proprietary information. But smaller companies and vendors, who can’t afford expensive security measures—and yet store some of their larger client’s sensitive data—are now in the crosshairs of sophisticated hackers. The result has been a digital arms race between cyber attackers, who look for new ways to circumvent the security solutions that companies put in place, and vendors and end-users, who are perennially on the lookout for for new ways to improve the security of their solutions and policies.
This particular seminar focused on the need for a holistic, company-wide methodology to minimizing and organization’s exposure to hackers and cyber criminals. With this goal in mind, Mr. Motta laid out a series of best practices and low or no-cost solutions for SMBs to protect their systems and digital assets. The emphasis should be first and foremost on prevention and mitigation strategies, such as internal security policies, employee training and continuing education, system patching and protection, and use of best practices (safe Internet, email, and desktop practices).
As Mr. Motta emphasized, “most cyber incidents are caused by lack of education and training or human error.” In fact, “internal threats posed by unqualified or disgruntled employee with trusted access to sensitive system and information cause 80% of small business security problems.” While technological solutions are vital to protect information and systems, their efficacy is limited if it is not effectively adopted and implemented by management team and used by skilled employees who follow well-defined processes. “Don’t assume that employees already know everything they need to know” Mr. Motta continued. “All employees should receive proper training and periodic re-training.” Other ways to keep employees up to date with the latest threats and make sure that they don’t sidestep basic standards of best practices is by distributing pamphlets, posters, newsletters, videos; rewarding them for good security practices; and employing regular phishing security tests (PST). Statistics show that companies with employees cybersecurity training programs experience 50% fewer cyber incidents caused by their own personnel.
Disaster recovery planning represents another important aspect of protecting a company’s overall brand and value. “Every company should have a well-documented and well-exercised disaster recovery plan—it is more than just having data backed up on a tape!” Building a comprehensive DR plan, before a breach happens, is fundamental “because even all the prevention measures that you can put in place are never going to protect you 100% of the time— you need to know what you’re going to do in case of a cyber incident!” This should include identifying, locating and backing up all the critical files in your system; testing restoring procedures regularly; setting up offsite storage for the system’s backup; having well-defined business continuity options; and knowing who is in charge of the DR plan!
Mr. Motta concluded his presentation by offering additional information on solutions and services that can be outsourced, especially in light of budgetary constraints and lack of internal resources that many SMBs experience while still needing to be on the lookout for an escalating number of threats and increased complexity of cybersecurity.
The Rhode Island Corporate Cybersecurity Initiative is supported by The Verizon Foundation for the 2014-2015 academic year.