4 Key Areas of Focus for SME Data Security
Over the last several years, disastrous data breaches have dominated the news. Organizations of all sizes and from several industries have been victimized, such as Yahoo, Equifax and Target. It has started to appear that no data can be considered entirely safe. The fact remains, though, that businesses cannot function these days without taking advantage of technology like cloud services, web applications, and databases.
In the current digital environment, the name of the game is risk management. That means a top-to-bottom approach to data security that encompasses all levels of business IT infrastructure. This is necessary because if recent breaches have illustrated anything, it is that there are multiple vectors of attack for hackers to exploit. For companies in the SME space, it can be difficult to make sure all bases are covered, so here are 4 key areas to target to enhance data security.
Web Applications and Hosting
A recent cloud security report found that 73% of reported security incidents revolved around web applications and hosting providers. Many of them exploited flaws in widely used CMS platforms that tend to go unpatched. Additionally, hackers often targeted hosting providers themselves. By infiltrating at the server level, they are able to gain access to multiple customers at once. To address these threats, make sure that any public-facing web applications or sites are protected by a web application firewall, and that the relevant hosting providers have a policy regarding security and vulnerability patching. If they don’t, head to Hosting Review and find one that does.
Cloud Security Configuration
Many of the most notable recent data thefts are attributable to one specific thing; incorrectly configured cloud storage. Companies like Accenture and government agencies like the NSA have had embarrassing incidents recently for this very reason. They’re not alone though. As many as 53% of companies that use cloud storage services have exposed data in the same way. Sometimes, mistakes as simple as setting incorrect permissions are to blame, and in other cases, reused credentials are at fault. The causes are simple, and so are the solutions. Conduct a review of the access settings and passwords on all cloud storage systems, to make sure they all meet strict standards and that access is as limited as is practicable.
3rd Party and Vendor Access
Oftentimes, data breaches aren’t even a result of security vulnerabilities on the targeted network itself. Many attackers gain entry to business networks through compromised 3rd party systems. The difficulty here is that most business networks have multiple points of entry to facilitate data sharing with partners and contractors and that places business data at the mercy of someone else’s security policies. In fact, that’s exactly how the aforementioned Target breach happened; hackers got in through an HVAC vendor. To decrease the risk, take steps to limit and monitor the access of outsiders into business systems. Do not allow installations of screen sharing software, and use routing and firewall rules to prevent outsiders from accessing anything but what they need to do their job.
Many SMEs outsource their IT management to Managed Service Providers (MSPs) in order to save money. In theory, it’s a great way to reduce internal costs associated with technology management, but it also carries a degree of risk. Like other outside vendors, an MSP needs access to business systems to do their job. Unlike other vendors, however, they need near-total access and there’s no practical way to limit this. This threat has remained mostly under the radar, but it’s global, and it’s massive. Other than bringing IT management in-house, the best option is to contract with an MSP that is either UCS or SOC2 certified. This means that their security practices have been audited by an outside firm and found to meet the highest standards.
There are no easy answers or silver bullets when it comes to data security. For SMEs, that is a fact of life. Mitigating the threats through a comprehensive security review that encompasses the above-mentioned areas of focus will go a long way, though. Threats will evolve and change on a near-constant basis too, so the overall response must do so as well. Reevaluate all security policies and practices as often as possible and take steps to stay in the know about emerging threats. After all, the true price of data security, like liberty, is eternal vigilance.