The risk of attack is increasing, but few small to midsize businesses are taking the basic measures needed to prevent it. The costs incurred from a compromise are vast; damaged systems and software must be replaced - and that's on top of the legal and PR costs.
But minimising the risks is simple; a good place to start is identity management. Affordable tools aimed at SMBs are becoming available through the cloud, providing similar levels of protection to those enjoyed by major enterprises.
Identity management comes in many guises, but essentially it involves authorising and authenticating the roles and privileges of individuals within a system. When used properly, it increases efficiency, improves the end-user experience, and ensures that a business complies with data protection regulations.
It's fairly straightforward; it can be achieved through manual processes or with tools and automation. ID management is also helpful in a 'bring your own device' (BYOD) environment, making it possible to control access to systems from different locations.
SMBs are especially vulnerable to cyber attacks as they often do not have proper security measures in place. In fact, the size of the business can be one of reasons why they are targeted, says Sanchit Vir Gogia, Chief Analyst and CEO at Greyhound Research.
ID management tools are a therefore a critical element of a smaller company's cyber security strategy. "There is an urgent need to have systems in place that are more sophisticated and provide an additional layer of security for data," Gogia says. "That is where identity management comes in."
Passwords are often the biggest vulnerability. Sometimes they are weak, or can be discovered through 'spear phishing', in which an email from an apparently trusted source obtains the word or code. Also, a static password will be easy to crack, says Andy Aplin, CTO of Accumuli Security. He advises SMBs to look at two factor authentication - used in online banking - as a proven method.
It involves each employee having a user name and a second level of identity, such as a password or number. "The first factor is a known entity and the second is unknown," Aplin says. "Whether you are authenticating email or Salesforce, two factor authentication is the only way forward."
Implementing a strategy
SMBs ought to have a policy for managing secure IDs and access credentials, says Gogia. This should include the ability to provision and de-provision user accounts.
But identity management systems themselves can also be a high value target of attacks, so they require extra attention to make sure they are secure, says Jim Fenton, Chief Security Officer at the OneID digital identity management service.
In order to prevent attack, try to establish a single source of "truth" for identity information, he advises. "This greatly simplifies the on-boarding and off-boarding process for employees and when roles change. It is particularly important with the trend towards cloud services that may be accessible from outside the boundaries of the corporate network."
One of the biggest risks is that an employee who has left on bad terms retains access to corporate data, says Fenton. "It's important for identity management systems to revoke access immediately in the event of a change of status," he adds.
But your strategy depends on your business requirements. For some firms, automated provisioning, with security policies in place, is the first priority. Others may consider access recertification - the process of ensuring everyone has access to only the applications they need to do their job - a high priority. Or eliminating multiple logins and multiple passwords could be most important.
Identity management solutions are offered by bigger vendors including Oracle as well as smaller and SMB-specific companies.