Sadly, many SMB owners fail to learn the lessons of cybersecurity preparedness despite being bombarded with messages from the media and fellow entrepreneur victims. With small IT departments and little to no money budgeted for security, many small businesses mistakenly believe that hackers only target websites belonging to the “big boys.”
The balance of power in the cyber realm is constantly shifting in a virtual cat and mouse game; with hackers exploiting hardware and software while researchers constantly race to discover ways to “patch” or close these same vulnerabilities. No matter how high we build our “palace walls” in cybersecurity, hackers are constantly finding new ways to circumvent them. As with most things in the security realm, the best defense usually boils down to having good offensive capabilities and planning.
The vast majority of cyberattacks are entirely unpredictable and often based on mostly random circumstances – like the model of computer or version of software that we currently use. Sophisticated scanning tools are readily available on the dark web and in hacker forums that give anyone the capability to quickly scour the internet for signs of vulnerability, and then hone in on it like a laser. Enterprises must begin to prioritize their data based on its value to hackers. Once you identify your most valuable assets, then you are able to implement a coherent, and layered protection framework.
The prevailing attitude among many business owners who don’t have a security background is that a website attack “won’t likely happen to me!” Once we embrace the notion that our systems have likely already been or will be penetrated, then we can take proactive steps that are perhaps outside our conventional thinking – which is a crucial step for each of us to understand the “new normal” conditions that advanced threats present today. Reaching this conclusion is not an admission of failure, but rather an acknowledgement of how much has changed in the world around us.
Part of this new reality is that hackers, usually working alone or in loose collaborations, are nimble and able to act much more rapidly than their cyber-adversaries, the enterprise security groups – which usually rely on a reactive “monitor, detect, respond” strategy. Security teams are often crippled by an overreliance on complex technology to watch and warn us (resulting in a lengthy time before detection). We must instead embed in our minds what “normal” activity looks like, and be ready to quickly implement pre-approved actions that allow teams to respond immediately to a potential website attack.
The traditional perimeter solutions that we have relied upon for years are losing their effectiveness since hackers place more value in motive opportunities than they ever have previously. Websites can be a very appealing target, rich with information even an SMB owner could potentially not even know is there. Waiting until the alarms go off is much too late to start getting serious about the security of our brands, companies, and institutions – regardless of your company’s size. But organizations can develop a proactive approach by keeping the data we must protect at the heart of our security operations and having an honest conversation about our own capabilities for handling all of the fallout normally associated with a website attack and a resulting data breach (reputation, customer loyalty, legal, public relations, etc.)
The sooner that we swallow this bitter truth and employ new thinking, the quicker we can recover after a breach that can often be devastating.
About the author: Avi Bartov is co-founder of GamaSec (www.gamasec.com), a global provider of website security solutions for small and medium-sized businesses. A technology executive who led several companies to success in Europe and Israel, Avi has more than 20 years of experience in IT security management and is a graduate of Nanterre University with a degree in international law.