Kaspersky Labs released a report on IT risk management, and the numbers are alarming enough to strike fear into the hearts of IT professionals. Or, at the very least, the report will certainly leave you shaking your head.
While many businesses recognize that data security is an important issue, they avoid taking basic precautions to protect their networks. After surveying 4,000 individuals from companies across the world, Kaspersky Labs found…
- Only 62 percent update software regularly with patches.
- Only 45 percent use specialized security features for financial transactions.
- Only 44 percent of respondents (down 5 percent from last year) are limiting data access among employees, a key way to prevent data breaches and leaks.
Are businesses doing anything to protect their data? Well, yes. As it turns out, 79 percent are using some form of antivirus software. Except many security professionals express serious concerns about whether antivirus software is still as effective (see our post, "Symantec Says Antivirus Is Dead. What This Means for Your Clients").
Why is antivirus software insufficient? It will catch run of the mill attacks, but not more sophisticated exploits. Our post, “91% of Businesses Underestimate the Number of Cyber Threats They Face,” discussed how there were over 300,000 unique malware variants launched against businesses each day.
Beyond Antivirus: How to Step Up Your Clients' Data Security
Antivirus may have given some consumers and businesses a false sense of security. With antivirus loaded on their computers, users think they've done enough to protect their devices from harm. As an IT consultant, you need to make sure your clients don't operate under this misconception.
For any data security strategy to be successful, it needs to have commitment from the people it affects: the users. Unfortunately, as noted, less than half of surveyed professionals have basic data security measures in place.
As you work with clients to increase data security, recommend…
- Increasing security protocol for financial transactions. Some businesses have designated computers from which employees can log on to make financial transactions (bank transfers, money management, etc.). Using designated computers – and keeping them free of cluttered programs – reduces the risk of malware and security holes. That might be too extreme for some of your clients, but you should at least require them to use two-factor authentication for any online banking.
- Encrypting data. Many users turn off some encryption measures because they require users to enter a password and can automatically log them off their machines after a few minutes of inactivity. But this is really a small price to pay for added security.
- Increasing education about user-level security. In our post, "Re: Your Recent Spear Phishing Attack," we outlined how hackers have changed their strategies and improved the way they target small businesses in phishing campaigns. As hackers get smarter, users need to adjust their security habits.
- Emphasizing the importance of software updates. Updates can be inconvenient and difficult to implement at an industry-wide level. In addition, many small businesses have a patchwork of different software, which means some upgrades won't work with older parts of their IT. After software is updated, cyber criminals download the patch, dissect it, and figure out what exploits were fixed.
- Managing access to data. Controlling data access means two things: preventing unauthorized use and limiting improper use. For instance, an employee could download a spreadsheet to his laptop and take it home to work on. Depending on your client's security requirements, you might not want their employees to be able to access company data on their home network (or other uncontrollable environments).
Remember that you may need to dispel common misconceptions to get your clients to enforce these strategies. Remind clients that antivirus won't protect them from every threat. There's no silver bullet for data security. Instead, businesses need to be proactive and take an approach that emphasizes the user's role in securing data.