When individuals are victims in a security incident it can be catastrophic, but the scope is limited, usually only affecting that one individual, or possibly them and their immediate family. Risks and damages for the small to medium business can be orders of magnitude greater. This is not to minimize the individual's problem, but to point out the larger scope and concern for small to medium sized businesses (SMBs). Let's examine the top ten SMB security concerns.
1. Spear Phishing - Spear Phishing targets an individual and attempts to obtain specific data or information, such as account numbers for use in crimes. The more valuable information an individual employee has access to, the more desirable he or she is as a target.
2. Phishing - General phishing attempts on a business can compromise company confidential information including private customer data or financial information usable in a larger scam or theft.
3. Web Site Spoofing - Employees might enter username, password, or PIN information into such a site before (or without) realizing the fakery. If steps to deactivate the account or change access information are not taken almost immediately, the compromised account may be used by the criminals.
4. E-mail Scams - An older channel for tricking employees, e-mail scams are still a big potential risk. Forged e-mails may be sent and replied to, bypassing e-mail filtering. Verifying requests for sensitive information, a policy prohibiting sending it, and employee education are all tools to use to remedy this risk.
5. Leaking Company Confidential Information - A disgruntled employee, whether leaving the company by their own decision, or being terminated, may divulge company confidential information. This is one of the hardest to prevent, as it may happen "out of band" / non-electronically, even via conversation off site.
6. Employee Misuse of the Internet - Even with a firm Internet use policy and enforcement, some employees cannot resist the allure of the Internet. Be watchful and consistent in enforcement--risks here can be expensive legal entanglements.
7. Patch Maintenance - Zero Day vulnerabilities are an "arms race" by hackers and criminals. Patches and updates need to be applied very rapidly to eliminate these threats.
8. Directed Hacking - Hackers with an agenda or specific target and goal may work diligently and find weaknesses that, with enough effort, bear fruit for them. Perform thorough penetration tests and vulnerability assessments.
9. Password Policy - Brute force attacks or calculated guessing of passwords are only effective if password policy allows for weak passwords. Use of strong passwords and locking policies for failed attempts can virtually eliminate this threat.
10. Laptop Theft - Secure remote and travelling user's laptops, secure access to them and the data on them by several means. Teach physical security (locks and cables) as well as electronic (USB keys, keycards) and computational (boot password, encryption) security measures.
While these threats represent a risk for businesses of all sizes, mitigating them can be particularly challenging in small business environments as budgets and in-house expertise are typically considerably more limited than in enterpise-space organizations. Solutions from companies such as GFI - which are specifically geared towards SMBs - can help smaller business overcome these challenges. Products such as GFI MailArchiver, GFI LANguard and GFI MailEssentials are not only priced for the SMB market, they are also designed to be easily managed. And this is extremely important. The initial licensing costs represent only a small portion of the total cost of ownership (TCO) of a security product - ongoing management costs represent a much more substantial portion - and, by streamlining management, these products are able to provide small businesses with comprehensive security for the lowest possible TCO.