There’s been plenty written about the topic of big data and how it is reshaping everything that modern businesses do. Most of the discussion has centered on a perceived shortage of skilled workers in the field and how businesses spread across multiple industries are finding ways to overcome it. There’s another, much bigger problem associated with the big data revolution, though, and it’s a problem that people only tend to discuss in abstract terms – until something goes wrong.
The problem, of course, is how businesses are going to control and protect all of the data that they’re amassing on a daily basis. Even a casual observer can see that the efforts to do so have thus far been inadequate, and that’s being kind. In November, global hospitality services company Marriott, Inc. revealed that it had been the victim of a data breach that exposed the information of 500 million of its customers. The unauthorized access had been going on since 2014, laying bare just how hard it is to detect certain types of intrusions, as well as how bad the damage can be when a breach goes undetected.
The Tip of The Iceberg
Marriott is far from alone. For businesses in the SME space, the problem is much worse. According to the most recent statistics, small businesses were the victim of 58% of all data breaches, and that was before big data started to penetrate the market. Now that it has, there’s every reason to believe that malicious actors will target SMEs even more often, seeing them as the least prepared to defend themselves. That eventuality means that cybersecurity must become a top priority for SME owners and their IT staff. To get their defenses up to an acceptable level, here are four steps that SME decision makers should take right away.
Upskill Existing IT Staff
Before taking any steps to upgrade data security through improvements in technology and infrastructure, it’s first necessary to make sure that the proper staff is in place to manage and operate it. First and foremost, SMEs should evaluate their existing IT staff (when relying on in-house technology management) to determine which employees, if any, possess expertise in information security. Since it’s a field that has only recently risen to prominence, there’s a good chance that it won’t be a strong suit of existing staff. To remedy that, it’s a good idea to subsidize additional training for IT staff. Today, eLearning platforms make it both possible and cost-effective to earn advanced cybersecurity certifications, all the way up to a Master of Cybersecurity for already credentialed employees. It’s also a good idea to provide generalized data security training for all staff, regardless of their existing skill level.
Deploy Intrusion Detection and Prevention Tools
The next step in upgrading SME data security is to make sure to secure internal company networks and harden them against attacks from the outside. The most common way to do so is through intrusion detection and prevention (IDS/IPS) enabled at the business firewall-level. Most up-to-date commercial firewalls will include at least some form of IDS/IPS system, which should be enabled and properly configured if it isn’t already. For businesses with more dated equipment or for whom budget is an issue, deploying an open-source solution like Snort should provide plenty of protection. It’s also critical to invest in an IDS/IPS solution for any cloud-based services that may be in use, as that is a common point of entry into business networks.
Develop a Conservative Data Retention Policy
The number one reason that SMEs get themselves into trouble with regards to data security is the tendency towards retaining all kinds of data they don’t need. When that happens, it becomes much harder to manage said data and much easier to make mistakes that lead to major security headaches. The key to preventing that is to craft and execute a conservative data retention policy that makes sure the business is only keeping necessary information and disposing of the rest. That single step will minimize the practice of data hoarding, which is becoming all too common in SMEs today. To minimize risk, SMEs should work with their big data teams and legal advisors to determine what data is mission-critical, and what can be jettisoned. The rule of thumb should be, if you can’t demonstrate value in keeping data, don’t keep it – it isn’t worth the risk.
Deploy Hardware Keys
Although there are a variety of vectors that hackers use to gain access to protected data, the most common types of attacks leveled against SMEs involve phishing or other attempts to compromise employees’ access credentials. While offering comprehensive data security training to all staff is a great way to minimize that threat, the fact is that no employee will ever be infallible, and leaving data security in their hands isn’t the best option. To keep data secure, it’s a much better option to deploy hardware keys and introduce two-factor authentication to all business systems. That way, no outsider can gain inappropriate access to company data just by stealing an employee’s credentials; they’d need the physical key as well. Tech giant Google introduced such keys in early 2017 and hasn’t had a single instance of a successful phishing attempt against an employee since. If it worked in a complex environment like Google’s, it should be more than sufficient to protect an SME.
Act Now, Stick With It
Although the four steps outlined here will help the average SME to take control of the data they’re collecting and act to secure it, they’re not a panacea. That’s because cybersecurity is an ever-evolving field with threats that change on a near-constant basis. To stay ahead of the curve, SMEs must reevaluate their data security posture at regular intervals, taking into account new developments in the field. From time to time, emerging threats will require immediate action to maintain data security, ranging from simple policy adjustments to defensive hardware and software upgrades. Only SMEs that remain proactive will win at the cat-and-mouse game that is modern cybersecurity, and be able to move confidently into the big data future without fear of undue risk.
Businesswoman using digital screen