36% of small businesses forego endpoint security, a survey recently revealed. 700 security professionals from 50 countries were asked about the main security concerns and challenges they face inside their organizations and not surprisingly, most of them have admitted that three out of four problems revolve around endpoints.
Endpoint security is, by definition, a solution for protecting the central network while it is accessed by remote devices such as smartphones, laptops, IoT gadgets and other wireless devices. And with employees embracing mobility and bringing even more personal devices in the office space, it seems only natural that small companies protect their network from security breaches. However, studies show that this is not actually happening. Very often, the endpoint device is the initial point of compromise that allows for lateral movement into the corporate network, allowing hackers access to sensitive data.
And facts become more worrisome as cyber-security threats against SMBs are thriving. A 2015 Ponemon Institute report shows that the average enterprise gets 17,000 malware alerts weekly, from IT security products.
So why are companies still lagging behind on securing their corporate environments? Here are five popular misconceptions that I believe are responsible for the sluggish adoption:
Misconception no. 1. A consumer-grade AV solution and a firewall will manage to protect the whole network from hackers. The reality is that traditional antivirus solutions have their shortcomings. As the IT computing infrastructure has become more complex, we have seen corresponding changes in the security threat landscape and antivirus solutions have become less efficient in detecting sophisticated malware. Rather than looking for signatures of known malware as traditional antivirus software does, next-generation endpoint protection platforms analyze processes and connections in order to spot activity that indicates foul play. This means stronger real-world protection against malware and exploits. Plus, an endpoint security solution will include a broader range of security features. These typically include:
Another advantage over consumer products is that corporate software uses a centralized server application to allow easy management of all the endpoints from a single user interface. This translates in more efficiency.
No.2. Another huge misconception is that only large companies need security because unlike SMBs they store valuable data. Think Target, Home Depot, eBay, and Anthem. But the reality is that big breaches start small. Third-party security breaches have happened in retail, hotels, healthcare, and in many other verticals where partnerships and outsourcing are increasingly used to support business operations. In the UK, contractors accounted for 18% of serious breaches. Remember, third-parties act as insiders, having partial access to company information.
No.3. Underestimating the human risk is another common mistake companies make. Not every organization is vulnerable to the same types of security threats, but they all have in common one thing: the human factor. In fact, 24 percent of organizations affected by data loss in the past year say it was the result of an employee accident.
Data loss incidents often happen when employees send sensitive documents to unintended recipients. People also transfer work documents to personal email, place them on consumer-grade file-sharing sites or copy onto removable media such as USB sticks. And while flash drives seem harmless, if someone connects an infected USB drive to the office network, a worm can upload and replicate itself on the network. Regular employees aren’t the only ones whose activities should be monitored. Despite boasting super human powers, skilled system administrators sometimes make mistakes. Reports show system misconfigurations, poor patch management practices and the use of default names and passwords are some of their most common errors.
No. 4. Fourth misconception on the list refers to applications are becoming inherently more secure and policies are strong enough to mitigate any human risks. The reality is that policies are not a panacea. On the other hand, believing that technology alone can keep endpoints secure and therefore skimping on actual security policies, procedures, and training is also wrong. No technology can deliver security if people undermine it.
No. 5. Endpoint security will solve all security needs. The reality is that endpoint security is only one of the weapons in a company’s security arsenal. Network monitoring, intrusion prevention and DDoS protection are only a few of the other useful tools. Also, data protection should include encryption, backup of critical data, and secure destruction of data and retired devices that contain critical data.
Of course, there are more than a handful of reasons why small business owners have not installed dedicated security software: maybe they have not recognized the need, maybe they consider it as an expensive investment, maybe they don’t see the difference between a consumer product and an endpoint security solution. But, ultimately, the smartest way to make a decision is to test.