Bad actors know Small and Medium Business (SMB) segment has much lower security protections than larger firms and they are using this soft underbelly to infiltrate critical systems.  They also know that these SMBs are easy ways into big companies.  How?  Just follow any companies supply chain—for example, take a large aircraft manufacturer building the next jet liner and you will find more than 2,000 suppliers in over 20 countries delivering the components, parts, systems and hardware that is required to assemble the aircraft.  If you look at some of those suppliers you will find the same thing (they each have several suppliers and so on…).  This corporate to corporate commerce is what keeps our global economy going and growing.  The problem is that all of these supplier companies do not have the same emphasis on securing their networks as the large aircraft manufacturer—that creates a big hole and one that a bad actor can exploit.  If the bad actor can compromise the big company (aircraft manufacturer) via one of the suppliers in their supply chain they will easily do it.  This is why customers are beginning to audit their suppliers security infrastructure/policies and replacing suppliers that have weak controls…

Example: Target was compromised by an HVAC vendor (more).

Many SMB executive still believe that a firewall and anti-virus software will protect them from a bad actor exploiting their company—what they don’t understand is that the biggest issue is not a bad actor ‘breaking in’ it’s their employees unintentionally letting the bad actor through the firewall without knowing they did…

Firewall and Anti-Virus protection are still necessary but they are not enough in today’s cyber threat landscape.   The Fortune 1000 have Intrusion Detection Systems (IDS), Intrusion Protection Systems (IPS), Security information and event management Systems (SIEM), Threat Intelligence and End Point technologies… On top of all of that they have many security analysts using the data and tools to weed out the bad actors from their infrastructure.   They also have corporate employee policy documents that contain cyber security provisions, cyber insurance, employee cyber training etc..

The SMB cannot afford this type of protection however they need to do more than a firewall and anti-virus or they will be the next victim.   So what should an SMB exec do?

The first step in securing a corporate environment should start with good corporate employee cyber security policies with controls, enforcement and consequences.   These policies should include the use of social networking, personal email, mobile phones etc. on the corporate network as well as many additional items.  (more)

The second step is training employees, contractors and even vendors on both the policies as well as general security protections such as understanding how a Phishing attack occurs.  Here are a few good slide decks to use to train end users and executives…  The training goes into how a bad actor will exploit an end user that does not keep software up to date (such as Java, Flash and Windows security patches), an end user that uses insecure mobile applications on Android phones, a user running risky software such as TOR and Bit Torrent and a user that clicks on attachments, links and unsafe websites—all of these scenarios invite an exploit!

The third step is to ensure the company has a cyber-liability insurance policy in place.  These are not expensive and should be a part of every businesses insurance portfolio.

The fourth step is to use a managed security services provider to offer low cost security services such as Defensative’s NetWatcher service that can keep an eye on your network and look for anomalous behavior 24×7 365 days a year.

According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year. And of those, some 60 percent go out of business within six months after an attack.

Don’t lose business because your company can’t pass a customer driven security audit…