Data Security Breaches in Small and Medium Enterpises - Example

Data Security Breaches in Small and medium enterpises Executive Summary SME’s as well as large businesses are the targets of hackers. As large businesses have more resources and greater IT budgets for data security protection measures, SMEs become more attractive and easier catch for hackers. There is wide array of threats of data security breaches that the SME’s face today. Some of the most common threats include: planting of virulent viruses; erasing of a customer data base and copying of personnel records; stealing of credit card details (both employees and customers); rifting through correspondence files, etc. In order to protect the network systems, databases and prevent data breaches SME’s need strong, but simple and cost-effective solutions. While there are some specially designed protecting technologies, there are also many measures and efforts that can be undertaken by the company without involving contractors. These key measures make focus on employee’s training; development and introduction of corporate policies related to data security, designation of a banking only computer; and usage of data-back services. Also, it is important to note that the integral and complex approach should be adopted at all levels of the company’s business operations in order to cover all gaps and potential sources for data/network attack. Introduction In January 2013, Sony Computer Entertainment Europe was fined almost £250,000 by the British Information Commissioner’s Office for the a serious breach of the Data Protection Act (1998) as a result of a hacker attack obtaining personal data on 70 million subscribers on its PlayStation network in April 2011 (Ategrity.com, 2013). There are many other similar cases of data security breaches that have recently occurred with such large businesses and institutions as Tesco, eBay, The University of Connecticut Health Center, Nursing and Midwifery Council, and others (Ategrity.com, 2013). However, data security breaches also occur with small to medium enterprises (SME), which typically cannot afford such fines or even the damage to their reputation. Moreover, while many large organizations have already adopted best practice in order to ensure data and network security, UK’s smaller businesses are less likely to take the required protection measures (Computerweekly.com, 2006). SME’s are more likely to permit weak or easily guessable credentials, use of the default user credentials, etc., which makes it relatively easy victim of an automated dictionary attacks (Chabinsky 2013). Especially, this relates to those SME’s operating in e-commerce sector, as the websites are driven by databases, where details about customers and stocks are stored (MacKinnon 2012). According to the survey results, the most common threats related to data security include virus infection, staff misuse of information, data corruption and systems failure (Clear2007). The aim of this research is to provide a critical overview of how SMEs can protect themselves against such data security breaches. Main findings Typically malicious hackers or criminal collectives do not purposefully attack SMEs as it happens in case of large companies. However, there are still many different threats related to data security that the SMEs can face in the hostile business environment. These risks are often associated with the daily non-targeted automatic attacks, which attempt to attack any computer with security gaps (Pinzon 2008). Whether these attacks are thoroughly planned or automatic it doesn’t play much difference to the business owner who has already become a victim of hackers. There is a huge variety of attacks, such as: planting of virulent viruses; erasing of a customer data base and copying of personnel records; stealing of credit card details (both employees and customers); rifting through correspondence files, etc. (Gupta & Hammond 2005). In case an enterprise has inadequate data security practices, the chances of these attacks to be successful are increased. Data security breaches could incur not only legal action but also compromise the company’s reputation and thus to erode consumer’s trust and confidence (Lightspeed Consulting n.d.). Models and technologies There are several security measures including various models and technologies which can be implemented in order to help SME’s to tackle the above security threats and ensure data security on a high level (Sahandi, Alkhalil & Opara-Martins, 2012). Below is provided a more detailed overview of some of these measures. Octave-sm The Operationally Critical Threat, Asset, and Vulnerability for small and medium companies is a method, which has been developed specifically for Small Enterprises with the headcount not exceeding 100 people (Kajtazi, 2008). It is comprised of three key phases, including the following: identification of the critical assets and threats to these assets; identification of technological and organizational vulnerabilities; and developments of a protection strategy and plan for risks mitigation (Cert.org, n.d.). ISO 270001 One more method focused on company’s data security is ISO 270001, which implies specialized training for employees on how to treat data security. Also, such accreditations forces business owners to set proper operations which also contribute to data security (Thompson 2014). Firewalls Firewalls as a measure to protect SME’s from data breaches has been mentioned practically in every piece of literature on data security. However, this method of protection has significant security limitations. For example, if the customer phones to the company in order to inquire about the number of the credit card which is on file for his account (providing personal information to an employee), employee is searching for the card details on the computer, finds it, and dictates it to the caller (Lightspeed Consulting n.d.). In case if the caller is not a true customer, there is a high risk for payment card data breach. Payment Card Industry-Data Security Standards (PCI-DSS) PCI-DSS is an internationally recognized data security standard, which was developed in order to minimize the risks of card data fraud and theft. Therefore, compliance with these standards is especially recommended for those businesses whose activity involves usage of credit and debit cards and who need to protect the integrity of consumer’s data (Sahandi, Alkhalil & Opara-Martins, 2012). Moreover, any organization willingto take part in any stage of the processing credit card transactions should legally comply with the PCI DSS (Chuvakin, 2012). All these security technologies can be provided by special firms which act as the installers of technology. However, such an approach has substantial limitations, as it often doesn’t provide initial and ongoing consultancy, training, and audit services (Robinson 2001). Thus, entrepreneurs may install the technology and feel that this protection is enough, even though it is only temporal or/and partial protection (Robinson 2001). In order to avoid a false sense of security, SMEs need to have “simple, flexible, efficient and cost-effective security solutions” (Goucher 2014, 19; Robinson 2001). Pinzon (2008) has identified ten basic threats for SMEs and suggested some key measures that should be taken in order to mitigate the risks of various attacks. These threats and measures are summarized in the table below. # Threat Measures to take 1 Automated exploit of a known vulnerability To scan the network and to identify missing patches and software updates; To minimize number of installations in the network To increase awareness among employees about dangerous e-mails 2 Malicious HTML email To use spam filtering products; To monitor all web traffic for appropriateness through an outbound web proxy server 3 Reckless web surfing by employees To introduce web content filtering; Stricter policies 4 Web Server compromise To audit the web app cod 5 Data lost on portable device To defend proactively physical gear and promote it among employees; To ensure that corporate mobile devices are protected with passwords To install servers and software that will centrally manage mobile devices To encrypt USB flash drives 6 Reckless use of Wi-Fi zones To require employees to connect to company-authorized computer via a Virtual Private Network or other encryption method; To select reputable hotspots 7 Reckless use of public kiosks and hotel networks To ensure that employees using laptops in public places have comprehensive defenses against viruses, worms, malware and spyware, etc; To install integrity and security checks at headquarters for clients who want to access the company’s servers; 8 Poor configuration To perform automated audit scan or hire consultant for a penetration-testing; While installing networking devices, always change the default username and password; Choose easy solutions for the network 9 Lack of contingency planning To develop information assurance methodologies 10 Insider Attacks To implement the principle of dual control, whereas information on the login credentials for the servers is known to more than one person; To formalize the hiring process (doing background checks); To reduce the opportunity for mischief through introduction and complying to the strict policy for locking computers by passwords when they leave their working place unattended; no sharing of passwords between co-workers; subdividing of the network by using firewalls Table 1. Computer security threats faced by SMEs and measures to take (Pinzon 2008) Thus, SMEs will gain even greater cyber security level if the management will focus on monitoring and control of accounts, deploying end-to-end encryption solutions, adoption of meaningful back-up strategies, and updating third-party applications and operating systems (Chabinsky 2013). On Benefits Even though the benefits of the data security are obvious, it is worth to mention two key benefits supported with some examples. First of all, the data security enables businesses/managers to store, process and transmit data securely (Kimwele 2014). This relates to a variety of operations, especially those related to online payments. Secondly, data security helps company to avoid bad reputation and fines related to the inappropriate security policy. It is essential for any type of business despite its size and industry in which it operates. In case, if the company has followed internationally approved security frameworks and schemes, there will be fewer risks of judicial proceedings. On Limitations The above discussed security methods and technologies have obvious benefits for SME’s but also it is vital to understand their limitations. The first one limitation is in the model which the SME has chosen. In order to choose a proper security method it is necessary to analyze what kinds of attacks it encompasses (Damgård, 1999). Usually, these models do not protect from certain classes of attacks, such as differential fault analysis, timing attacks, and differential power analysis (Damgård, 1999). While some models and security schemes do fall to these classes of attacks it is still worth to check. Another significant limitation refers to the cases when the security scheme is already used. Sometimes, the security can be proved but in the wrong model or for the wrong problem (Damgård, 1999). Also, users of security models can use protocols incorrectly, or the software can be buggy (Damgård, 1999). One more limitation of data security is its high dependence on the human factor, which is viewed as the “weak link” in computer security (Kimwele 2014). This factor can subvert the best plans and technologies laid by security experts and system administrators. This issue has been already discussed in greater details in the research findings. Conclusions and Recommendations As it has been found out SME’s as well as large businesses are the targets of hackers. As large businesses have more resources and greater budgets for data security protection measures, SMEs become more attractive and easier catch for hackers. In order to protect the network systems, databases and prevent data breaches SME’s are recommended to pay more attention on the data security protection. Namely, it is recommended to: Introduce and reinforce compliance to the data security policy; enforce password policies with rules for complexity and frequent change (Devaney and Stein 2012); Introduce a mapping of identified IT security metrics and the IT security issues/activities/aspects the metrics can measure (Devos, Landeghem, & Deschoolmeester 2013, 59); Designate a banking only computer to avoid payment frauds (Devaney and Stein 2012); Use data-back services; Educate employees (Devaney and Stein 2012); Adopt an approach for tackling IT security issues which deals with continual improvement and establishment of new measures should the implemented ones at any one particular time appear ineffective (Devos, Landeghem, & Deschoolmeester 2013, 59). In case the company’s IT budget allows introduction of specifically developed data security technologies, it also can be done in order to mitigate the risks and minimize threats of data security breaches. However, it is necessary to remember that installation of technology or signing a contract with the IT contractor or other firm will guarantee automatic safety. SME’s should continuously undertake internal efforts aimed at their data protection. References: Ategrity.com,. 2013, ‘Ategrity Solutions - Oracle Audit Vault’. Retrieved 16 August 2014, from http://www.ategrity.com/latest-news/ Cert.org,. (n.d.). OCTAVE Method - Cyber Risk and Resilience Management, The CERT Division. Retrieved 22 August 2014, from https://www.cert.org/resilience/products-services/octave/octave-method.cfm? Chabinsky, S. 2013, "Cyber Security for SMEs: Prioritize, Isolate and Protect", Security, vol. 50, no. 7, pp. 30. Chuvakin, A. (2012). Building and Maintaining a Secure Network. PCI Compliance, 53-72. doi:10.1016/b978-1-59-749948-4.00005-9 Chuvakin, A. (2012). Introduction to Fraud, Data Theft, and Related Regulatory Mandates. PCI Compliance, 7-12. doi:10.1016/b978-1-59-749948-4.00002-3 Clear, F. 2007, ‘SMEs, electronically-mediated working and data security: cause for concern?’ International Journal of Business Science and Applied Management, vol 2, no. 2, 1-20 Damgård, I. (1999). Lectures on data security (1st ed.). Berlin: Springer. Devaney T. and Stein T. 2012, Capital One Spark Voice: 5 Ways Small Businesses Can Protect Against Cybercrime. Forbes. Retrieved 22 August 2014, from http://www.forbes.com/sites/capitalonespark/2012/12/17/5-ways-small-businesses-can-protect-against-cybercrime/ Devos, J., Van Landeghem, H., & Deschoolmeester, D. 2013, Information Systems for Small and Medium-sized Enterprises (1st ed.). Dordrecht: Springer. Goucher, W. 2011, ‘Do SMEs have the right attitude to security?’. Computer Fraud & Security, 2011(7), 18-20. doi:10.1016/s1361-3723(11)70075-6 Gupta, A. & Hammond, R. 2005, "Information systems security issues and decisions for small businesses: An empirical examination", Information Management & Computer Security, vol. 13, no. 4, pp. 297-310. Kajtazi, A.,2008, A case study of InterAdria; regarding security strategy of a SME. Kimwele, M. 2014. Information Technology (IT) Security in Small and Medium Enterprises (SMEs), Institute of Computer Science and Information Technology. Lightspeed Consulting (n.d.). Why you MUST protect your customer data. Available at: http://www.lightspeedus.com/ MacKinnon, L. 2012. Data security and security data (1st ed.). Berlin [u.a.]: Springer. Pinzon, S. 2008, Top 10 Threats to SME Data Security (and what to do about them). Watchguard. Robson, R., Swain, A., Campbell, L., & Springer, S. (n.d.). Cyber security and fraud: The impact on small businesses, Federation of Small Businesses. Robinson, F. 2001, High-end IT Security: No Longer a Distant Pipe Dream for SMEs. Computer Fraud & Security, 2001(9), 12-14. doi:10.1016/s1361-3723(01)00915-0 Sahandi, R., Alkhalil, A., & Opara-Martins, J. (2012). SMEs’ Perception of Cloud Computing: Potential and Security. IFIP International Federation For Information Processing 2012, 186–195. Thompson, R. 2014, "The Small Business Cybersecurity Blindspot", Risk Management, vol. 61, no. 5, pp. 8-9 Read More