‘Not my company!” attitude is dangerously out-of-date

You can’t pick up a newspaper, business publication or magazine without reading about this month’s mega-data breach. “Stolen: 3.5 million credit card numbers, complete with contact information” and so on all seem like headlines detailing sizable losses coming from large corporations specifically being targeted for their treasures.

Unfortunately, each of these breaches were not the result of some large company’s loss. Instead, they occurred at companies with annual revenues under $50 million.

Let’s face it. Large corporations have data that is of interest to attackers, but they also focus on keeping that data secure.

While large breaches tend to dominate the headlines and are often accompanied with names of companies you and I recognize, the majority of data breaches occur at a level much lower. And these are only the breaches that are being reported. Baseline, in its article, “Data Breaches May Be Worse Than Reported,” found that 57 percent of survey respondents reported that they had experienced a breach but had not disclosed it.

The reality is that many smaller businesses are actually at a much higher risk for experiencing a data breach than companies at the highest levels. For the small and midsize business, we find two significant factors that contribute to the significance of breaches:

Belief that they have nothing of interest to a hacker, and
The feeling that their systems are secure.

We’re not a target

Time and time again we hear from business owners that they’re not concerned about the security of their information technology because they “don’t have anything of interest” to an attacker, falsely believing that this removes them as a target.

While that may have been the case 10 or 15 years ago, organizations today are a target simply because they have an Internet presence. On the low end attacks, an organization may be targeted simply for the use of its resources: disk space to allow the hacker to store his or her pirated software, music and video collection; or maybe the attacker is interested in the organization’s Internet connection to help disguise his or her identity as he or she launches an attack against another prized target.

Our systems are secure

Information security is truly one of those areas that, “You don’t know what you don’t know.” It is complex and a specialty in-and-of-itself.

The problem in most organizations is that the IT department is there to keep the systems running and to make them as easy to use for end-users as possible. This goal is mutually exclusive of security — where the goal is to limit access and make it as hard as possible for an attacker.

A secure approach has collateral effects on ease-of-use, which many organizations are unwilling to compromise, thereby making their systems more vulnerable.

A change in attitude

In order to effectively address an organization’s IT security, business owners must understand that their organization is under constant siege. Regardless of size, attackers are interested in your organization’s resources.

If our homes and neighborhoods were under the same kind of attacks, there would be criminals rattling our windows and trying our doors to see if they could get in — every minute of every day.

We of course would not stand for that, but in the digital neighborhood where this activity is mostly invisible, we ignore it or turn our heads believing it isn’t occurring. Understanding the true threat is the first step in improving your organization’s security.

Damon S. Hacker, MBA, CCE, CISA, is co-founder, president and CEO of Vestige Digital Investigations, a Digital Forensics and IT Security firm with offices in Cleveland, Columbus and Pittsburgh. He can be reached at (330) 721-1205 or dhacker@vestigeltd.com. For more information, visit www.vestigeltd.com.