Group items tagged

Small business owners' cybersecurity policies and actions are not adequate enough to ensure the safety of their employees, intellectual property and customer data, according to the 2009 National Small Business Cybersecurity Study. The study, co-sponsored by the National Cyber Security Alliance (NCSA) and Symantec [Nasdaq: SYMC], as part of this year's National Cyber Security Awareness Month, surveyed nearly 1,500 small business owners across the United States about their cybersecurity awareness policies and practices.

The survey shows discrepancies between needs and actions regarding security policies and employee education on security best practices.

The study found that while more than 9 in 10 small businesses said they believe they are safe from malware and viruses based on the security practices they have in place, only 53 percent of firms check their computers on a weekly basis to ensure that anti-virus, anti-spyware, firewalls and operating systems are up-to-date and 11 percent never check them.

"Three-fourths of businesses are deleting files, reformatting or destroying drives, or 'do not know' how they are erasing sensitive data. Deleting files from a hard drive only marks the files to be rewritten, which may never occur. Furthermore, reformatting the drive only removes the entries in the index or table of contents that point to the data. And, physically destroying a drive is not a guaranteed method of protection, as Kroll Ontrack has been recovering data from severely damaged drives, such as the Columbia space shuttle, for more than 25 years.

"Surveying more than 1,500 participants from 12 countries across North America, Europe and Asia Pacific regarding their data wiping practices also revealed that four in 10 businesses gave away their used hard drive to another individual and 22 percent do not know what happened to their old computer.

Only 19 percent of businesses deploy data eraser software and fewer, 6 percent, use a degausser to erase media. When asked if and how businesses verify their data has been deleted, very few (16 percent) reported relying on a product or service report to confirm all of their data had been wiped.

Now, in a survey of more than 600 small business owners and executives, the Ponemon Institute has tried to put a number on the cost of credit card account fraud for those vulnerable targets, comparing the damage with the cost of physical theft by employees or burglars. The result: While identity theft takes less from businesses per incident than either robberies or crooked employees, it hits them often enough that it's an equally costly or even costlier problem. According to Ponemon's study, the median account fraud incident costs a business $5,136. That's much less than the $9,913 the respondents attributed to the median cost of a burglary or $17,517, the cost they attributed to an employee theft case. But take the frequency of those incidents into account, and the pain adds up. About 86% of businesses have suffered from account fraud, more than the 77% who have been robbed or the 63% whose employees have stolen from them. And among those victims, most businesses experience employee theft either once (32%) or zero times a year (41%). Robberies are less costly but more frequent: Most businesses report them either once (29%) or between two and five times a year (38%). Account fraud is far more frequent: 45% of businesses have been digitally defrauded two to five times in the last year, and 38% have been defrauded more than five times.

1. The growth of cloud computing is astounding. It is estimated that the worldwide cloud computing market is $8 billion with the U.S. market accounting for approximately 40% of that: $3.2 billion.  According to Gartner’s 2011 predictions, number one on their list of Top Strategic Technologies is Cloud Computing. Gartner also predicts that the SaaS market will hit $14 billion in 2013.

2. Cloud Computing Software Solutions VS Desktop Applications The most common reason why small businesses choose cloud computing solutions over desktop applications is this: It is less expensive because you pay a small monthly amount instead of a one-time fee as it works now with traditional desktop software. On a cash-flow basis, it is less costly because your cloud based apps are often slightly less costly than an annual purchase or upgrade for common programs.  However, you have to look closely at the pricing plans and details for each application.

3. Cloud Computing Solutions are available all the time – no matter where you are. For some business users that operate virtual offices or operate remotely on different machines depending on location and they need the application to be accessible from a web browser. That is one of the biggest advantages of cloud computing– it is available wherever you have access to a computer and browser.

The regulations, which went into force in March, are intended to protect a consumer’s personal information from identity theft and other privacy breaches and to spell out steps that businesses must take to ensure data is secured. Some large companies — particularly those in the finance and health care industries that are already subject to data security laws like the Health Insurance Portability and Accountability Act (HIPAA) — had privacy measures in place, which helped get them ready for Massachusetts’ regulations. However, for many smaller and midsize companies that have not been subject to data security laws before, complying with the rules is a longer and often more painful process.

some businesses that are complying with privacy regulations for the first time and have limited in-house technology expertise “are running around with their hair on fire, trying to figure out what to do first,”

“We’ve seen a substantial uptick in activity in clients seeking guidance in how to comply,” said Carlos Perez-Albuerne, a partner at Choate Hall & Stewart LLP. “There’s a whole swath of businesses that never had to deal with anything like this before.”

According to Conner, cybercrooks are now targeting small business: "We are in an arms race with sophisticated, high tech enemies who are now concentrating on smaller business bank accounts in addition to their continued efforts to steal from large corporations." To combat the risk, Conner suggests that small businesses employ a "triple threat" security package that would include

According to Brian Krebs, a journalist who has covered this issue extensively, "Most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them."

So how does this type of fraud occur, and what can you do to protect yourself? Typically, the bad guys are able to plant malware on the victim's computer and then use that to access the company's online banking profile. They then use that information to transfer huge sums of money out of the targeted accounts.

Behavioral Advertising Online behavioral advertising – the practice of tracking someone’s online activities to deliver targeted advertising – can raise potential privacy issues.  Do you disclose your practices to your customers and honor your promises? Children’s Online Privacy The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their kids. If you run a website designed for kids or have a website geared to a general audience but collect information from someone you know is under 13, you must comply with COPPA’s two main requirements. Credit Reports Does your business use credit reports to evaluate customers’ credit worthiness? Do you consult credit reports when considering evaluating applications for jobs, leases, and insurance? Here is information about your responsibilities when using, reporting, and disposing of information in those credit reports. Data Security Many companies keep sensitive personal information about customers or employees in their files. Having a sound security plan in place can help you meet your legal requirements to protect that sensitive information. Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. Health Privacy If you offer or maintain personal health records online, you could be covered by the FTC’s Health Breach Notification Rule. Are you familiar with your legal obligations in case of a security mishap? Red Flags Rule The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs  – or red flags – of identity theft in their day-to-day operations.

AVG's research shows that: * 83% agree that having the right level of IT security protection is critical to their business * 77% say that a security threat could have a significant negative impact on their business * 55% feel they can make IT security decisions without 3rd party influence * However, only 48% have a clear IT security policy in place for their staff, leaving most at the mercy of what employees decide to download or access online * As a result, perhaps not surprisingly, 1 in 4 have experienced a security breach * Most worryingly, 1 in 7 have no security software or systems in place at all AVG also asked small businesses whether they expect to see growth in the next five years - 61% of UK and 74% of US small businesses say that they do.

"The vast majority of staff in any organisation are trustworthy and honest. However, businesses are now beginning to realise and understand the scale of the threat posed by the small proportion of staff that act dishonestly and defraud their employer."

According to the ACFE 2010 report on occupational fraud the median length of the schemes was 18 months from the time the fraud began until the time it was detected. The median loss caused by the occupational frauds in the report was $160,000. Nearly one-quarter of the cases caused at least $1 million in losses and nine cases caused losses of $1 billion or more.

Historically, the most serious threat from staff fraud has been centred on relatively senior employees in management positions. However, the major threat has now shifted down the organisational hierarchy to more junior members of staff, who have access to, and responsibility for, more confidential customer and payroll data than ever before,"

As of April 2010, only about 7% of small-business owners were using cloud services, but that number is expected to grow to more than 10% by mid-2011, according to a survey by technology-research firm IDC.

Half of small firms that use "the cloud" say it has improved their bottom line, according to a survey this fall by Microsoft Corp., which provides cloud services.

A number of surveys show that some business owners are hesitant to try cloud computing because they don't want to stray from familiar systems or invest in new ones. Some owners that have made the switch, however, say it has been a boon to their cash-strapped firms.

A recent article in the Tech Journal (techjournalsouth.com) delves into the effects of data breaches, using survey information to demonstrate how they affect customer loyalty and confidence.

"The widespread impact of data breaches like Epsilon and Sony PlayStation, where millions of consumers were impacted around the world, is making customers more cautious about conducting business with certain financial institutions and retailers," said Jackie Gilbert, vice president of marketing and co-founder at SailPoint. "These companies obviously spent millions to recover from these data breaches, but the longer term and harder-to-measure costs will be the erosion of customer loyalty and decline in brand perception."

Case in point: 16% of Americans, 24% of Britons and 26% of Australians said they would no longer do business with a bank, credit card company or retailer if a security breach occurred that potentially exposed their personal and financial information to theft."

The Red Flags Rule is an anti-fraud regulation, requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to the warning signs, or “red flags,” that could indicate identity theft. The financial regulatory agencies, including the FTC, developed the Rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003 (FACTA).

The FTC’s Red Flags Web site, www.ftc.gov/redflagsrule, offers resources to help entities determine if they are covered and, if they are, how to comply with the Rule. It includes an online compliance template that enables companies to design their own Identity Theft Prevention Program through an easy-to-do form, as well as articles directed to specific businesses and industries, guidance manuals, and Frequently Asked Questions to help companies navigate the Rule.