It's not news that cybercriminals, like most criminals, prefer to target weak and vulnerable victims. Just as a thief would rather break into a home while the residents are gone, a hacker would much rather hit a company that doesn't have a full team of security experts.
According to the 2012 Verizon Data Breach Report, 71 percent of all data breaches are waged against companies with less than 100 employees. If you run one of these companies, you should know that the cost of being hacked averages around $36,000. You should also know that your employees are the single greatest threat to your security. Another Verizon report states that there's a 100 percent chance that at least one out of 10 people who are sent a malicious email will click a link in it (a phenomenon it calls the "inevitable click").
According to an article in The Wall Street Journal by Lou Shipley, CEO of security software firm Black Duck Software, there are a few ways startups and small companies can better protect themselves. See his tips below.
Get into the criminal's head.
In order to protect yourself from attackers, you have to start thinking like a criminal and figure out what data you have that is most valuable. Then, start securing that data. "Ask yourself: Who are my adversaries? Are they after my intellectual property and trade secrets? Do they want my customers' credit-card information? Or do they view my business as the weak link in some larger application?" Shipley writes. "This exercise can help you see where your vulnerabilities lie and also help you understand which measures you can take to protect your software."
Make sure your code isn't filled with bugs.
There are thousands of vulnerabilities in the software we use, which can provide a nice door for hackers to penetrate your network. Shipley says you need to keep your code clean. "Many commercial applications use open-source code as components," he writes. "The National Institute of Standards and Technology's National Vulnerability Database discloses more than 4,000 vulnerabilities in these components. Security software companies ... can help you identify and fix any problems with your applications' source code."
Outsource your security plan.
Shipley (who is the head of a security firm) says should hand over the responsibilities to professionals. "Outsource your security operation," he writes. "While most small organizations can't afford to build sophisticated IT security systems, there are many service companies that have the scale and know-how to protect your operations and sensitive data." Make sure the firm you hire is doing everything it can to protect you; if customers sue you following a data breach and the security company hasn't met "minimum required practices," you're going down.
Buy a cyberinsurance policy.
While cyberinsurance is not a magic bullet, Shipley says it's a must. "These policies, offered by more than 70 carriers according to a Gartner Research report in March, include liability coverage for exposing confidential information, paying to notify customers of a breach, and providing them with credit-monitoring services," he writes. After you get hacked, your policy will reimburse you for costs incurred from business interruption.