Technology has quickly engulfed the world around us. Everything we do, both at a business and personal level, seems to involve technology in one way or another. However, as that happens, small businesses continue to be a top target for hackers, with the number of organizations hit by cybercrime rising each year. According to The Ponemon Institute’s 2017 State of Cybersecurity in Small & Medium-Sized Businesses report, 61 percent of businesses experienced a cyber attack in 2017, signifying a 6 percent increase from the previous year’s 55 percent. Data breaches were up to 54 percent from 50 percent in 2016.
This year promises faster internet, more connectivity, and unfortunately, more cybersecurity threats. Threat Horizon 2018, from the Threat Horizon series by the non-profit association Information Security Forum (ISF), shows that with the growing connectivity, there will be an increase in the information security threat landscape.
Cybersecurity Threats Affecting Small Businesses
1. Internet of Things (IoT) leaks
As real-time data collection becomes increasingly important, the IoT is growing too. From monitoring traffic and collecting real-time patient information to optimizing the uptime of industrial equipment, organizations are massively acquiring IoT devices. However, these devices aren’t always secure. This creates a potential backdoor into the organization, warns the ISF.
IoT works so great because it’s comprised of dozens of devices that hide in plain sight. Be it alarm systems, GPS, web cameras, HVAC or medical devices, such as pacemakers, it’d be hard to guess which of these devices are even connected to the internet in the first place. But since IoT devices lack built-in security, they are often easy targets by hackers.
Attackers usually use automated programs to locate IoT devices. Once located, attackers attempt to connect to the device using the default admin credentials. And since most users don’t change them, this is usually a success for the attacker. Once in, the hackers can easily install malware, basically taking the system under their control.
Daniel Soderberg, CEO of EyeOnPass, advises changing all passwords immediately when you acquire a new device. “I wouldn’t operate any device with the default password,” he warns. “Default passwords are usually printed and freely available, exposing the user to all manner of cyber dangers.”
2. Opaque algorithms
The Threat Horizon 2018 report also warns of the increasing using of algorithms. As organizations continue to fully trust algorithms with the operation and decisions concerning critical systems, the report says, they lose the visibility into the functioning and interaction of their systems.
The lack of proper and transparent interactions between algorithms poses a security risk in case unintended interactions between algorithms create incidents — like the U.S. Treasury Bonds “flash crash” of October 2014 that saw bond yields drastically drop briefly before the algorithms corrected themselves.
“We know they’re going to do some quirky stuff from time-to-time,” says Steve Durbin, managing director of the ISF. “You need to understand some of the exposure you have to algorithmic systems. We’re building more and more of our systems on top of algorithms — industrial control, critical infrastructure. There’s an increased risk in this space we need to be addressing.”
To be able to manage these risks, organizations need to have a human monitoring the execution of operations and decisions often left to algorithms. The report advises organizations to know the risks that come with algorithm-controlled systems and know when to involve a human. Also, they must update their code maintenance policies and identify alternatives to treating algorithm-related incidents, especially when insurance isn’t an option.
3. Security researchers are being silenced
Security researchers are often whistleblowers. They impart knowledge about digital vulnerabilities, making sure systems are secure and users’ data remains in the intended hands. When they are silenced, either by the government or private companies, it’s often a loss for all users.
With software replacing hardware in most major sectors, users and businesses depend on researchers to unearth vulnerabilities and make them public as part of ongoing efforts to improve security. However, lately, manufacturers have been responding to such actions by taking legal action instead of working with the research to fix those vulnerabilities. The ISF predicts that this trend will only grow; exposing customers to vulnerabilities that manufacturers have decided to hide rather than fix.
To protect themselves, the ISF advises technology buyers, which include small businesses, to insist on transparency during the procurement process. It advises manufacturers to take it more positively when vulnerabilities are found within their systems by rewarding the researchers rather than attempting to punish them.
Considering that a researcher might find a vulnerability in a tool in 2018 and not report it, it’s imperative for the small business owner to take a step further in protecting themselves, even if it means working with other businesses in order to come up with an affordable solution.
Transparency is key
When it comes to security, transparency has a great role to play. But this part has long been left for the security professionals. If all users reflected some degree of transparency, security in the cyberspace would be easier to achieve. If the non-technical managers and leaders understood the impact of good and poor protection, they would use the cyber assets they have more responsibly. Employees would be more careful about the devices they introduce to the network.
As the business owner, it’s your job to carefully manage the inventory of the connected IoT devices. “Some things have internet capabilities that you didn’t ask for and will never use,” says Leon Adato of SolarWinds adding that any devices that don’t need to be connected to the internet should be disconnected.