A few months ago, my phone rang unusually late. Somebody at a company for which I had access to the intranet told me, with panic in his voice, that there'd been a hacker attack. It was difficult to see how much damage had been done, he told me, and so IT had decided to take the entire internal network offline.
Attacks like this happen in large companies every day. Sometimes they're done by "script kiddies," who use brute force to try out different permutations of login information until something gives way and they gain a foothold. Sometimes it's an organized group of hackers, patiently looking for weaknesses in the security system in order to secretly access confidential data. No matter the cause of the breach, the economic loss can be huge. In the case of my late-night caller, the ultimate cost amounted to several hundred thousand euros.
Most companies are well aware of the dangers, but even innovative midsize firms frequently spend too little on their IT security. A recent survey of German blue-chip companies found that only three out of 30 companies had a security system that encompassed all possible risks. Now, of course, all these businesses backed up their systems and relevant data, but hardly any of the companies actively tried to address future threats. It's the same problem with antivirus programs: They're fine when it comes to known attackers, but unknown threats are neglected.
Whereas large enterprises can afford to hire white-hat hackers and send them to regular security conferences, midsize enterprises simply don't have the necessary resources to follow this path. And that's a problem because these conferences are a great source of information about relevant patents, innovation, supply chains, and trends, especially since midsize businesses are increasingly attractive to cybercriminals. In the US, more than one third of hackers attack target companies with fewer than 250 employees.
Despite all the tools at companies' disposal, the biggest IT security challenge remains employees' lack of understanding. At a large German automotive supplier, the security settings have been set to "paranoid." Laptops can't be connected to each other, USB drives are only recognized with the correct signature, and sensitive data is stored only on drives that aren't hooked up to the network. That's all well and good, but as the data security officer noted, staff were so annoyed by the tedious way in which data had to be moved about that they started bringing their own devices to work. Also, employees began creating rogue Dropbox folders, stuffed with data, to circumvent the rigorous security rules. The entire security structure was undermined because staff found the IT department's data restrictions too tiresome and burdensome.
Companies embracing BYOD are always exposed to particular risks. Although these devices aren't allowed to join the internal network, there are specially developed apps that employees can use to access the in-house network through a gateway. After all, emails and documents need to be available if staff are to work efficiently. The snag here is that many employees aren't particularly conscientious about updates -- and this can rip huge security holes in the structure. One person's forgotten iOS update may create dozens of holes that are well known to every single hacker. IT security really ought to check each private device to make sure all updates have been properly installed, but there simply isn't enough time or personnel.
Many smaller companies give themselves a false sense of security. The classic "Hackers won't be interested in us" argument is one that we've all heard again and again. But anyone who's witnessed an identity theft and seen how fast scammers use login information to order goods that are then shipped to Eastern Europe knows that's a poor argument. But not even the president or his wife, Michelle Obama, are safe from attack.
Dream the Impossible Dream
When celebrities like Michelle Obama can get hacked, how can midsize and small businesses protect their data, employees, and customers?
(Source: Official White House Photo by Lawrence Jackson)
Midsize and smaller companies should therefore ensure their security really is alert to every possible threat and can also prepare for new, unknown attacks. Otherwise precious data will quickly end up in the wrong hands. And that'll turn out to be more expensive than paying a professional consultant beforehand.
— Charlotte Erdmann comments on a wide range of technologies from her base in Berlin. In addition to blogging, she is a media and communication consultant, organizing and managing large customer magazines and marketing activities within the IT industry.