The risk of attack is increasing, but few small to midsize businesses are taking the basic measures needed to prevent it. The costs incurred from a compromise are vast; damaged systems and software must be replaced - and that's on top of the legal and PR costs.
But minimising the risks is simple; a good place to start is identity management. Affordable tools aimed at SMBs are becoming available through the cloud, providing similar levels of protection to those enjoyed by major enterprises.
Identity management comes in many guises, but essentially it involves authorising and authenticating the roles and privileges of individuals within a system. When used properly, it increases efficiency, improves the end-user experience, and ensures that a business complies with data protection regulations.
It's fairly straightforward; it can be achieved through manual processes or with tools and automation. ID management is also helpful in a 'bring your own device' (BYOD) environment, making it possible to control access to systems from different locations.
SMBs are especially vulnerable to cyber attacks as they often do not have proper security measures in place. In fact, the size of the business can be one of reasons why they are targeted, says Sanchit Vir Gogia, Chief Analyst and CEO at Greyhound Research.
ID management tools are a therefore a critical element of a smaller company's cyber security strategy. "There is an urgent need to have systems in place that are more sophisticated and provide an additional layer of security for data," Gogia says. "That is where identity management comes in."
Passwords are often the biggest vulnerability. Sometimes they are weak, or can be discovered through 'spear phishing', in which an email from an apparently trusted source obtains the word or code. Also, a static password will be easy to crack, says Andy Aplin, CTO of Accumuli Security. He advises SMBs to look at two factor authentication - used in online banking - as a proven method.
It involves each employee having a user name and a second level of identity, such as a password or number. "The first factor is a known entity and the second is unknown," Aplin says. "Whether you are authenticating email or Salesforce, two factor authentication is the only way forward."
Implementing a strategy
SMBs ought to have a policy for managing secure IDs and access credentials, says Gogia. This should include the ability to provision and de-provision user accounts.
But identity management systems themselves can also be a high value target of attacks, so they require extra attention to make sure they are secure, says Jim Fenton, Chief Security Officer at the OneID digital identity management service.
In order to prevent attack, try to establish a single source of "truth" for identity information, he advises. "This greatly simplifies the on-boarding and off-boarding process for employees and when roles change. It is particularly important with the trend towards cloud services that may be accessible from outside the boundaries of the corporate network."
One of the biggest risks is that an employee who has left on bad terms retains access to corporate data, says Fenton. "It's important for identity management systems to revoke access immediately in the event of a change of status," he adds.
But your strategy depends on your business requirements. For some firms, automated provisioning, with security policies in place, is the first priority. Others may consider access recertification - the process of ensuring everyone has access to only the applications they need to do their job - a high priority. Or eliminating multiple logins and multiple passwords could be most important.
Identity management solutions are offered by bigger vendors including Oracle as well as smaller and SMB-specific companies.
For many smaller companies, it will be advantageous to look at Identity as a Service (IDaaS) – where the identity infrastructure is managed by a third party in the cloud. This will cut costs and provide security you might not otherwise have been able to afford.
"IDaaS is a great way to save costs and avoid the need for extra employees to manage the aspects of the identity lifecycle," says Josh Forman, VP Services at cloud service Ilantus.
The company has a service specifically tailored to the SMB market in the form of the Identity Lifecycle Solution, a suite of tools that runs in the Ilantus cloud or on-premises. "The solution supports modular deployment – so customers can choose which aspects of the identity lifecycle they would like to implement, and in what order," says Forman.
Gogia says that cloud services such as Okta and Ping Identity are also ideal for SMBs.
Accumuli, which serves firms of all sizes, offers users a token with a password to enter when they log in. "The token lasts 60 seconds. We have taken away the headache of identity management at the same level," says Aplin.
The token could be tied to Microsoft's SharePoint, as well as email, Salesforce and BYOD, Aplin says. "When you are assigned a token you get a PIN number then the token itself to get a six digit number that changes every 60 seconds. So without a PIN, if the token is stolen it is worthless."
Those who already have the infrastructure in place can just buy the tokens, which cost "hundreds of pounds rather than thousands", says Aplin.
Meanwhile, OneID's service is not small company-specific, but can be used in a variety of environments including SMB. It can also be used as an authentication front end for other identity management systems.
As cyber attacks on smaller firms become commonplace, having an ID management strategy using tools such as cloud is essential. Identity management is a good basis for security and, with solutions that do it all for you, it doesn't have to be complex.