Security Strategy Lacking in Midsize Businesses

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://midsizeinsider.com/en-us/article/security-strategy-lacking-in-midsize-bus

According to a new study, most small to medium-size businesses (SMBs) do
not have a viable security strategy in place. As Dan Kusnetzky reported in
an article on ZDNet, security does not appear to be a priority for SMBs.

Responsibility Left to Unprepared IT Staff

The study, conducted by Sophos and the Ponemon Institute, surveyed 2,000
people responsible for their organization's network security. One of the
more telling results of this survey was that the person chosen to handle
security in SMBs tends to have the job simply because no one else is doing
it. There is no security department, and rarely is security overseen by
someone with a strong background in the field. In fact, 59 percent of the
survey's respondents felt that they did not have a sufficient background in
network or information security.

The price to pay for having an inexperienced staff developing security
strategy is a lack of awareness about the magnitude of cybersecurity
threats and risk. According to the survey, one-third of the respondents
admitted that they did not know whether their network suffered an attack
during the past year. In addition, the higher up the management ladder, the
less likely an employee is to possess an understanding of the threats that
could disable or infiltrate a company network. This may explain why,
instead of hiring staff who are trained in threat management and
cybersecurity mediation, upper management simply designates someone from IT
to take over protection of the network.

Sophistication of Attacks

The lack of a solid security strategy comes at the worst possible time.
Three-quarters of employees responsible for cybersecurity say that attacks
are either multiplying or have at least stayed constant in number and
frequency over the past twelve months. These attacks continue to grow in
their sophistication, becoming more difficult to detect. Phishing scams
have also become more clever and complex, leaving employees more
susceptible to malware. It is increasingly important to have an experienced
security workforce to mitigate all types of network threats.

Job Training

There are options for SMBs to improve the security staff and, in turn, to
make security a bigger priority. The most obvious improvement, based upon
the results of the security survey, is to hire an IT professional with a
strong security background. Security is emerging as a specialty, and a
growing number of colleges are beginning to offer degrees in information
security that include a general IT component. Looking to education,
training and certification is an option for IT professionals who are asked
to take over security responsibilities.

Smaller companies are most at risk for security failures because of the
lack of in-house proficiency. Even with a limited budget, midsize companies
can improve cybersecurity by making it a priority for every employee,
starting at the C-suite. Without a good security strategy in place, an
SMB's chances of being the victim of an attack continue to grow.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.