Why Security By Obscurity Is No Longer An Option For Small Businesses
Quite often in my endeavors with clients I encounter two different philosophies toward IT Security among small businesses. There are small businesses, that are in fields that require them to meet certain standards and therefore are ahead of the curve. Likewise there are small businesses that aren't aware of the standards and regulations, some are taking guesses in hopes that nothing bad happens. The attitude isn't truly based on a belief that IT security is unnecessary, but it is mostly an assessment of cost versus benefit. Small businesses that are no on the radar to most, typically believe that they are not a target therefore opt out of purchasing certain tools or working fully with IT Security experts until their companies expand. There is logical reasoning for this, but it also leaves smaller businesses at a disadvantage and can be costly later on.
What Is Security By Obscurity
According to most security experts it is defined as:
A principle of security engineering that attempts to use anonymity and secrecy (of design,implementation, and so on) to provide security; the footprint of the organization, entity, network is kept as small as possible to avoid the interest of hackers. (CEH Exam Guide Second Edition). There are a few problems with this theory, let's list them:
1. It relies on the assumption that the hackers do not already know you exist.
2. It ignores independent hackers that are specifically looking for smaller, vulnerable targets.
3, It allows systems admins and personnel to ignore some flaws, based on the assumption that those flaws are unknown by outsiders.
These are major disadvantages, the assumption that hackers will leave you alone simple because you're small has been debunked and is no longer a reality. In fact last year congress had to address the attacks against small businesses, noting that 14 million businesses in the us were vulnerable. They passed the Main Street Cyber Security Act of 2017. As large companies harden themselves with the best tools and best experts, smaller companies become easier and more desired targets. A 2016 survey had shown that hackers breached nearly half of all small businesses. The danger is greater for smaller companies, because recovery time takes much longer. If a smaller companies systems goes down, spinning said system back up could take weeks or days, losing valuable revenue.
In conclusion, the days of invisibility for small companies are over. As always we speak from the perspective of hackers to help those whom need IT security. You are no longer invisible, yet remain an easier and more vulnerable target than your larger counterparts.
Featured Image is from www.lynda.com