The Big Shift to Cloud-Based Security
WHY SMALLER ORGANIZATIONS ARE VULNERABLE
Media stories about breaches tend to focus on big exploits such as Target and Heartbleed,
which helps foster the illusion of safety for smaller organizations. Eight breaches during 2013
alone exposed more than 10 million identities each, according to Symantec’s Internet Security
Threat Report 2014. But to say, “My company doesn’t offer a sliver of that opportunity to a
cybercriminal,” misses the key point. The direct and indirect costs of just one effective breach
can bankrupt a mid-to-small sized company. And any sized company connected to the Internet
is vulnerable. Here are three reasons why:
• Cyberthreats and regulations don’t care about business size
Most attackers don’t care whether they’re targeting a Fortune 25 firm or a small
town manufacturer with 25 employees. In fact, the number of security incidents with
confirmed data loss affected more small companies than large in 11 of 18 industries,
according to the Verizon 2014 Data Breach Investigation Report. These breaches were
overwhelmingly skewed to smaller companies (defined by Verizon as under 1,000
employees) in the Accommodation, Professional, and Retail industries. The common
driver for cyber criminals is to steal and sell data and identities. Regulators are expecting
the same security diligence from mid-sized and small firms as from large corporations.
Consider the various data breach disclosure laws. They’re not based on the size of the
company but the quantity and type of customer records that are breached. While there
may be slight differences in how regulations such as HIPAA, PCI DSS, and others affect
mid-sized and even smaller firms, their overarching impact is the same.
• Software flaws: an ever-growing concern
The number of software vulnerabilities announced daily shows no sign of letting up.
According to the Common Vulnerabilities and Exposures List, sponsored by the National
Cyber Security Division of the U.S. Department of Homeland Security, there were
more than 6,100 software flaws reported during August 2013 through July 2014. That’s
over 16 newly announced software flaws every day. And these vulnerabilities, which
make it possible for many forms of malware and attackers to gain entry to protected
systems, are equally detrimental to businesses large and small. It’s not just end-point
operating systems, servers, and on-premise software that are at risk. Websites also
pose an enormous risk. According to Symantec’s report, 77% of legitimate websites have
exploitable vulnerabilities and one out of every eight websites has a critical vulnerability.
3
The Big Shift to Cloud-Based Security
• The extended business risk: partners, suppliers, and other stakeholders
All businesses are under internal and external pressure. Targeted attacks such as spearphishing often aim at smaller organizations. During 2013, 61% of spear-phishing attacks
were on organizations smaller than 2,500 people, and 30% hit companies with less than
500 people, according to Symantec. The supply chain department was a primary target.
Consequently, businesses are demanding to see the security and risk management
plans of those with which they do a significant amount of business. They want to know
about your disaster recovery and business continuity procedures. They want to know
how you manage security defenses. And they want to know how you are protecting their
confidential information.
COMMON APPROACHES TO SECURITY
ARE TOO EXPENSIVE
Unfortunately, while the security threats and mandates for regulatory compliance affect all
companies, it’s the mid-sized and small businesses that often don’t have the right staff or budget
necessary to cost-effectively fight the threats and maintain compliance. Consider the SMB
Information Protection Survey by Applied Research (published by Symantec in 2010) that shows
that globally small and mid-sized businesses spend two-thirds of their IT management time and
$51,000 annually focused on cyber security. That’s twice the amount of time and 27.5 percent
more budget spent than for other areas of computing. That’s simply too high a price for security.
Small and mid-sized businesses today are
spending 66% of their IT management time
focused on security concerns.
Qualys customers in mid-size and smaller organizations are telling a similar story. They say too
much time is wasted on installing, maintaining, and managing security software and hardware.
The biggest portion of this cost is labor.
The net result? Security efforts fall short: the tools prove tough to manage, require dedicated
4
Please complete the form to gain access to this content
