JSCM has been doing security assessments and testing for 16 years. And over the years we have had the privilege to test networks of all sizes including a small five person organization all the way up to government and multi-national organizations. What is really interesting about all of the information we have seen and assisted with is that the only thing that is consistent is inconsistency. It doesn’t matter what size the organization is, the opportunity to secure the information is exactly the same. The difference, is whether it gets done or not.
Small businesses are not at a disadvantage when it comes to network security and cyber security; in fact small organizations actually have a huge advantage. It isn’t about budgets alone, it is about focus. I can have the greenest lawn in my neighborhood, if I choose to. It is a matter of desire. Your network can actually be more secure and stable than larger ones, giving you a huge competitive advantage! You just have to make the choice. Here are the top five reasons your small business can be more secure than a large organization:
- Fewer Points of Entry - Any attacker on a network needs a point of entry in order to gain access and steal information. A pint of entry is defined as an internet connection, wireless connection, a device with access to company data, or an employee. The fewer points of entry you have, the easier they are to get control of and secure. This gives small companies a huge advantage over larger organizations. It is easier to make strict firewall changes, update wireless policies, implement a new technology, and close a hole if you are nimble and adaptable; and large organizations are the opposite of nimble, let’s call them fat and slow. The main reason is larger organizations cannot pivot and make changes as quickly because the impact, client base, and number of users are greater. The resulting behavior is they move slower. This is why you hear about so many large organizations being hacked and they didn’t know for months! They weren’t capable of watching all the entry points because of sloppy networking and bureaucracy. Further, departments don’t always communicate and understand the cause and effect of their actions as easily. The resulting effect is holes can be opened without anyone noticing! (think about Target and the HVAC hole left open)
- More Training Opportunities - One tentpole in the battle for cyber security is the training of all of your team members. In the end, they are your greatest asset and your greatest liability rolled into one friendly person. Most users who open a malicious email and click a link do not have malicious intent, they just didn't know. any differentSo how do we solve this problem? Training! Training is your ultimate weapon in network security. Getting people trained is easy in a small business. You have endless opportunities. One idea would be have a monthly lunch and learn with your team, bring in pizza and an expert to talk. Another one is you could conduct phishing tests and use the results as a learning opportunity. There are literally countless opportunities for you and in small companies the communication is better so this can be used to keep open lines of communication in the event an email is opened or a link is clicked. Imagine what it is like to train 100,000 employees on data handling across all the different job descriptions, hours, and pay rates. The training hole, or lack of, is a huge defect in the security of larger companies.
- Harder to Manipulate - Social engineering is the art of getting someone you don’t know to do something you want them to. A common way to get into a network is to engineer someone on the phone into providing you access. This is so much harder in a small organization because odds are, everyone knows everybody. The attacker will have less of an opportunity to talk their way into access. As scary as it may sound, I could call up an organization and get access in under 5 questions/sentences, and as part of that conversation I would pickup crumbs of information to allow me further knowledge and conduct more harm. It just takes knowledge of computers and malicious intent, except in may case I am trying to help. Being harder to manipulate is a huge advantage to a small company. Large organizations have a weakness, their size. (I would pickup this book by Kevin Mitnick if you want to learn more about how someone really did it in practice.)
- You Know the Money - Most attackers are trying to get money or data out of your organization. And if you have tight control over the money, you have a huge advantage. It is really hard to get money out of our company, I mean really hard. We have a very simple, yet strict process for writing checks and we keep close eyes on our bank accounts (No, I won't disclose that part). If a weird transaction shows up, someone is on it right away. No one is going to be able to send us any invoice and con us into paying it. And if we need to change banks because someone stole our information, we can have that done by lunch. Not without some short-term pain, but without losing a penny. Large companies have complex systems in place to control money, but they are really easy to get past. Their checks and balances make it easy to manipulate. Keeping control of your money makes you a harder target and less desirable. If you are unsure of how tight your accounting control process is, have it tested as part of a security assessment.
- You Know Who to Call - The ugly yet sad truth is, every network is susceptible to attacks. If someone wants in your network bad enough they will be able to gain access. One of the top things I teach on is how to detect and respond to an event. And in the event you are ever the victim, you should be able to detect it and call someone who can respond quickly. This response time is another defect of a large organization (how many months did Yahoo cover up the attack on their network, or should I ask how many years?). You know who to call if anything on your network or bank account are manipulated. Odds are you know all your vendors and you have the ability to hold someone accountable if need be. This accountability will greatly improve your security because they won't be able to point the finger. If there is a hole in your firewall they can’t say it is because someone else opened it! If the wireless security is inadequate you just have to call the person that set that up.
In closing, don’t assume how secure a network is based off of their size or IT budget. I would trust a small company over a larger one any day.