After not one, not two, but three other high profile attacks this year, and after losing names, e-mail addresses, passwords and even credit card numbers for nearly 100 million customers, it may seem difficult to understand how Sony could have again had a significant security breach yesterday.

In fact, Sony has spent significant money on security in the past and has focused intensely on locking down its operations over the past 6 weeks since it was first attacked. While Sony hardly was a trailblazer in information security, it was not ignorant either. The repeated breaches call to attention to how a single point of weakness can unravel a thoughtful approach to security.

Sony’s original sin was in putting such a big target on its back. Sony attracted the ire of hackers worldwide when it started cracking down on PS3 users attempting to jailbreak their consoles in order to gain additional functionality. Even though companies have long been at war with jailbreakers, Sony went a step further and began aggressive prosecution, landing some of its most avid fans in court. That landed the attention of worldwide networks of hackers, and their concerted efforts were able to find the small holes in the security perimeter from which they could cause devastating damage.

It is tempting to think that Sony’s problems could only happen to Sony. However, hackers are rarely so focused on a single target and in fact are turning their attention to small businesses in droves, in order to escape the intense legal pressure governments and large companies are bringing to bear against them.

At a hard cost of $171 million dollars and the likelihood of significant long-term damages to all of its businesses, Sony clearly grossly misassessed the risk of breach. It is likely that they had a firm understanding of how devastating such a situation could be, but they certainly did not anticipate that a group of hackers could act with impunity on their networks.

While the repeated breaches make clear that even a thoughtful approach to security can be insufficient, there are a number of strategies to reduce the threat of successful breach. The most important strategy is to ensure your security approach is centered around layers–something that would have been of substantial benefit to Sony and mitigated most if not all of the successful attacks on its networks.

With layers, vulnerabilities must line up from layer to layer in order to result in a successful breach. As a result, each layer dramatically increases the complexity of the attack and therefore reduces the number of hackers with the necessary skillset. This approach minimizes risk by making yourself a difficult target in a world full of easy targets.

Good layered security begins with perimeter firewalls, and includes intrusion prevention, DMZs, data leak protection and following vendor security practices. Most importantly, each layer of defense requires continuous attention to ensure that it continues to function in an optimal state and that its output is consumed. In fact, the hallmarks of good information security are directly analogous to physical security, nesting increasingly more secure zones and verifying the security of those zones continuously in order to contain any attack that does slip through the perimeter.

In April, Verizon, in cooperation with the US Secret Service, released its annual Data Breach Investigation Report. The DBIR compiles and analyzes security breach information from a wide range of information security breaches. In many respects, their assessment is positive. The number of records lost to attackers was down from 361 million in 2008 to 144 million in 2009 and just 4 million this past year.

Though the news appears good at first glance, a closer look indicates troubling news for SMBs. While the number of records lost has dropped sharply over the last several years, the number of breaches has skyrocketed.

While records lost per year has declined sharply, the number of breaches has skyrocketed

Coupled with this trend has been a change in the profile of businesses impacted by security breaches. In 2010, 67% of security breaches affected companies with less than 100 employees. As larger businesses beef up their security measures and law enforcement becomes more effective at investigating and prosecuting such attacks, hackers are turning their attention to safer targets.

The majority of data breaches is at businesses with less than 100 employees

Even more troubling for SMBs is a shift in both the demographic of attacked businesses and the methods of attack. The 2011 DBIR found that over 1/3 of data breaches occurred in the hospitality industry, far more than the financial services industry. In fact, virtually all industries showed substantial exposure to data breach.

As the threat to SMBs continues to grow, it is imperative that proactive and responsible action is taken. Unlike the Sonys and Epsilons, few SMBs can deploy sophisticated PR and marketing campaigns to mitigate the damage caused by data loss. Often, data loss can be a business ending event. Just as debilitating as a natural disaster or fire–and perhaps more likely–data breaches are not covered by business continuity and liability insurance.

But what are the reasonable steps to take without being paranoid or excessive? This conclusion from Verizon’s 2011 DBIR provides a starting point:

“The latest round of evidence leads us to the same conclusion as [the 2010 DBIR]: your security woes are not caused by the lack of something new. They almost surely have more to do with not using, under using, or misusing something old.”

The report found that the overwhelming majority of attacks focused on lax or non-existent security procedures, exploiting software vulnerabilities that had been known and fixed for 6 months or more, and a lack of commitment to even a most basic level of security. These represent a clear starting point and accounted for 87% of the successful data breaches in 2010.