BreachExchange mailing list archives
Security Strategy Lacking in Midsize Businesses
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 1 Jan 2014 18:44:55 -0700
http://midsizeinsider.com/en-us/article/security-strategy-lacking-in-midsize-bus According to a new study, most small to medium-size businesses (SMBs) do not have a viable security strategy in place. As Dan Kusnetzky reported in an article on ZDNet, security does not appear to be a priority for SMBs. Responsibility Left to Unprepared IT Staff The study, conducted by Sophos and the Ponemon Institute, surveyed 2,000 people responsible for their organization's network security. One of the more telling results of this survey was that the person chosen to handle security in SMBs tends to have the job simply because no one else is doing it. There is no security department, and rarely is security overseen by someone with a strong background in the field. In fact, 59 percent of the survey's respondents felt that they did not have a sufficient background in network or information security. The price to pay for having an inexperienced staff developing security strategy is a lack of awareness about the magnitude of cybersecurity threats and risk. According to the survey, one-third of the respondents admitted that they did not know whether their network suffered an attack during the past year. In addition, the higher up the management ladder, the less likely an employee is to possess an understanding of the threats that could disable or infiltrate a company network. This may explain why, instead of hiring staff who are trained in threat management and cybersecurity mediation, upper management simply designates someone from IT to take over protection of the network. Sophistication of Attacks The lack of a solid security strategy comes at the worst possible time. Three-quarters of employees responsible for cybersecurity say that attacks are either multiplying or have at least stayed constant in number and frequency over the past twelve months. These attacks continue to grow in their sophistication, becoming more difficult to detect. Phishing scams have also become more clever and complex, leaving employees more susceptible to malware. It is increasingly important to have an experienced security workforce to mitigate all types of network threats. Job Training There are options for SMBs to improve the security staff and, in turn, to make security a bigger priority. The most obvious improvement, based upon the results of the security survey, is to hire an IT professional with a strong security background. Security is emerging as a specialty, and a growing number of colleges are beginning to offer degrees in information security that include a general IT component. Looking to education, training and certification is an option for IT professionals who are asked to take over security responsibilities. Smaller companies are most at risk for security failures because of the lack of in-house proficiency. Even with a limited budget, midsize companies can improve cybersecurity by making it a priority for every employee, starting at the C-suite. Without a good security strategy in place, an SMB's chances of being the victim of an attack continue to grow.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Security Strategy Lacking in Midsize Businesses Audrey McNeil (Jan 02)