Eeny meeny miny moe, I’ll steal your data then I’ll go! A recent study by the Ponemon Institute, reports that more than 50% of Small to Medium Businesses (SMBs), that’s every other business folks, were breached in the past year. The study was sponsored by password management provider Keeper Security and consisted of 600 IT leaders at businesses with between 100 and 1,000 employees. The study found the following:
- Confidence in SMB security is low, with 14% of the companies surveyed rating their ability to mitigate cyber-attacks as highly effective.
- 50% of respondents reported that they had data breaches involving customer and employee information in the last 12 months.
- Three out of four survey respondents reported that exploits have evaded their anti-virus solutions (social engineering?).
- 59% of respondents say they have no visibility into employees’ password practices and hygiene.
- 65% do not strictly enforce their documented password policies.
- Insufficient personnel, budget and technologies are cited as the primary reasons for low confidence in cybersecurity.
The causes for most of the breaches were negligent employees and contractors, though for almost one third of the companies surveyed the root cause of their data breach was a mystery. What can we take away from this? Stress, re-stress and repeat more of the basics to our clients:
- Create and enforce a comprehensive employee decommissioning process so that credentials for former employees are disabled or removed as soon as the employee is no long with the firm.
- Limit access for employees and contractors to only what they need and no more. Stop handing out administrative rights left and right. Right?
- Set and enforce a comprehensive password policy that forces employees to change their passwords. If forced to change passwords on a regular basis, employees will be less likely to use their Facebook password as their employee password.
- Start and continually run a phishing awareness program. The program has to be sustainable and continuous in order to be effective.
- Separate company and guest wireless traffic. Allowing guest devices onto the one and only wireless network is an invitation to share digital diseases with someone’s personal phone.
More information on the Ponemon survey can be found here.