While cybersecurity should be a primary concern for all organizations, there is no one-size-fits-all approach. Mid-market businesses have different security needs and concerns than large enterprises. To meet these needs, CISOs must meet with business leaders to discuss what technology is required to safeguard digital assets. Cloud adoption only heightens the need for this conversation.
The public cloud is a smart option for mid-sized organizations, since they often run lean and may have a small or non-existent IT team. But in the rush to take advantage of cloud, they tend to focus on overcoming networking issues and scaling capabilities first, with security as an afterthought. And when they do think about security, it is usually in terms of who on the team has access. It is often assumed that security is the cloud provider’s responsibility, when in reality, it is a shared responsibility.
This creates a security gap that malicious actors are happy to flow through. Securing your data is critical, but it does not have to be complicated. Mid-sized businesses tend to put most of their security eggs in the network-based solutions basket. These solutions are focused on preventative measures, when zero-day attacks, by definition, take advantage of unknown vulnerabilities.
Another serious weak spot is the continued use of passwords or any other form of shared-secret scheme used to authenticate people. Lists of hacked passwords are for sale on the dark web, phishing remains a successful method of obtaining users’ passwords and password-cracking tools are getting better and better.
Topping the list of weak spots, though, is the notion that cybercrimals wouldn’t bother to breach you because your company is too small, unimportant or not valuable enough. Bigger is not always better to cybercriminals. Yes, bigger businesses tend to yield a bigger pay-off, but they also have stronger security programs than mid-sized companies. Attackers like low-hanging fruit just as much as the next guy.
Breaches Are Costly
Surviving a data breach can be much more difficult for mid-sized companies. According to the Ponemon Institute’s 2017 State of Cybersecurity in Small & Medium-Sized Businesses report, the average clean-up cost for mid-market companies after being hacked is more than $1 million. In addition to clean-up and containment costs, there may be fines, depending on the industry and jurisdiction the company falls within. A mid-sized business may not have the funds to survive a breach.
The most popular attack methods against smaller businesses, the Ponemon report found, are ransomware, malware, phishing/social engineering and web-based threats. While firewalls and malware detection software are available inexpensively, they cannot protect data once the network has been breached.
Encryption Is Not Just for Enterprises
Encryption is often regarded by mid-sized organizations as an expensive solution to a problem they don’t have. After all, who would want their data? However, medium-sized companies are being increasingly targeted by cybercriminals for data. One study found that 53 percent – just over half – of mid-market businesses suffered one or more breaches last year.
Data needs to be kept safe for the sake of compliance, too. Small companies with medical records, for instance, have private data that needs strong data protection that meets industry compliance regulations.
Mid-market companies tend to view encryption as complex and hard to implement, they tend to ignore it or discount it as a viable security method for mid-sized companies.
However, encryption is not as hard as it sounds. At its most basic, encryption is a cryptographic system to encode data and files in such a way that only authorized users/devices can access it and those who are not authorized cannot. However, data encrypted at the network, web server, application server, database, app system or hard
This is the case because it matters where data is encrypted or decrypted. If it happens in any part of the system—the hard disk drive, operating system, database, etc.—other than the business application using that data, significant residual risks remain despite the encryption. An attacker need only compromise a software layer above the encrypting layer to see unencrypted (plaintext) data.
The most logical place to protect sensitive data is the application layer—the highest layer in the technology stack—because it offers the attacker the smallest target. This also ensures that, once data leaves the application layer, it is protected no matter where it goes – and, conversely, it must come back to the application layer to be decrypted.
Criminals don’t want encrypted data because it is unreadable unless the person who accesses it has the appropriate key. Authentication is how you control access to those encryption keys.
Authentication is Essential
The idea behind authentication is to make sure that a person or technology trying to gain access to data is actually that person or technology. There are various kinds of authentication, such as two-factor authentication delivered via SMS, email or biometric verification. In the case of gaining access to encryption keys, authentication that requires tokens or biometrics is the strongest option.
To encourage organizations to adopt strong authentication, the FIDO Alliance has developed a specific protocol. By conforming to the latest FIDO Alliance standard, strong authentication leverages years of Public Key Infrastructure (PKI) cryptography expertise to verify the identity of users and devices to enable strict authorization and access to encrypted data and files.
The goal of the FIDO Alliance is to promote ubiquitous, phishing-resistant, strong authentication to protect internet users worldwide. The FIDO protocols and authenticators on which they are based:
- Require the customer, in the case of a purchase, to prove their presence in front of the computer originating the purchase—with possession of the FIDO authenticator.
- Cannot be used for phishing attacks. Attackers cannot compromise the protocol’s cryptographic messages and use them to masquerade as the legitimate customer.
- Protect users’ privacy. Even with a stolen or lost authenticator, attackers cannot learn a customer’s identity and use it to compromise the customer’s account.
- Require a hardware-based authenticator, which is not susceptible to attacks from the internet like file-based credentials are.
Strengthen Your Data Security
Recent statistics reveal that mid-sized businesses are targets for cybercrime just like their larger counterparts. With valuable data and smaller IT security teams, mid-market companies need encryption as part of their security strategy. The cost to clean up a breach keeps rising, and some businesses can’t survive that financial hit. Use the information above to implement strong encryption and authentication so that when a breach eventually occurs, you can rest easy knowing that any stolen data is useless to attackers.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.