When it comes to cybersecurity and data breaches, smaller businesses do not necessarily make less likely targets. According to a recent report on the state of cybersecurity in small and medium-sized businesses by the Ponemon Institute, 61% of small and medium-sized businesses experienced a cyberattack in 2017, a 6% increase from 2016. Similarly, the report said 54% of small and medium-sized businesses experienced data breaches (up from 50% in 2016). In a recent article in Entrepreneur, CEO of Simple SEO Group Brendan Egan discusses some of the biggest cybersecurity threats facing small businesses today.
The Risk of Leaks in the Internet of Things
As we have previously discussed on this blog (see here and here), the security of internet of things (IoT) devices has been a growing concern for both government and industry, due in part to a number of high profile attempted cyberattacks using IoT devices. The connected nature of IoT devices and real-time data collection that makes IoT a powerful tool for organizations also creates multiple potential backdoors into the organization. To prevent IoT devices from being targeted by hackers, it is important to observe security best practices such as changing default passwords and, for manufacturers, providing unique default usernames and passwords that are difficult to crack. As we have previously discussed, among other organizations, the US Department of Homeland Security has issued guidance to help stakeholders account for security in the development, manufacturing, implementation, and use of IoT devices.
Organizations that increasingly rely on algorithms with operational and business decisions for critical systems run the risk of losing visibility into the functioning and interaction of those systems. The Threat Horizon 2018 report from the nonprofit Information Security Forum advises organizations to examine the risks that come with systems controlled by algorithms and determine when a human should monitor execution or decisions.
Awareness of Known Vulnerabilities
Security researchers frequently uncover critical vulnerabilities in systems as part of efforts to examine and improve security, but the response of manufacturers and providers to these actions are not consistent and may range from implementing public bug bounty programs to taking legal action against researchers. Depending on a provider’s approach, the result could mean exposure to vulnerabilities potentially known to bad actors but not the customers. As part of the procurement process, technology buyers should therefore consider how vendors handle the identification of vulnerabilities and the relationship between the vendor and the security research community.