If you as a business owner think that just because you’re not a huge corporation with thousands of employees you’re therefore immune to cyberattacks… Think again.
In today’s networked, digital economy, the only thing you need to make yourself attractive to the cyber bad guys is to possess, or merely enable access to, sensitive digital information like credit cards and social security numbers. We have all seen the headlines where huge corporations including Home Depot, Target, Sony and Anthem have fallen victim to cyberattacks that resulted in exfiltration of tens of millions of sensitive personal records. Because of today’s interconnected business ecosystem, your company doesn’t have to be a corporate behemoth to be breached; the size, scope and scale of your business is irrelevant to cybercriminals. The cliché “not if but when” applies to organizations of all sizes.
With this in mind, we recommend six areas that any small- or mid-sized business must consider to better defend itself against cyberattacks.
1. Security does cost, but lack of security costs even more.Many small and mid-sized companies often say that doing digital security “right” seems expensive. Think of a home alarm system. It may seem expensive until burglars break in. Cybersecurity surely is an added cost until, say, a data breach happens that becomes a lot more expensive to fix and to recover from. You do need to invest in layered security from the perimeter to your endpoints commensurate with the sensitivity of your data.
2. Establish an incident response plan.An incident response plan must include education, prevention and response processes. It should include things like maps of all endpoints, contingency plans for all possible situations, assignment of the Program Management role and establishment of a command center location in advance. Furthermore, employees should be trained specifically what to look for in terms of suspicious behavior. Once you know an incident occurred, you need to charge an employee with managing the response to it, which might well entail working with your legal department, attorneys and law enforcement.
3. Know your environment.For example, if you’re buying a payment processing system that claims it is PCI-compliant, be sure that it actually is. Trust but verify. You also need to have a clear map of where your sensitive data resides and how it’s protected, both from access via the network and from the endpoints where the data is stored or processed.
4. Passwords alone aren’t enough.First, enforce the strong password policies that your authentication system (like Active Directory) already provides. Beyond this, you can use multifactor authentication, requiring both a password and either a security token, biometric ID or key card.
5. Control Access to certain information. It is far more secure to provide need-to-know access to the right people within your organization to your sensitive data that could be stolen. Giving access to all or a high percentage of sensitive data to all your employees (and contractors and others) creates weakness in the system. With broad access, malware can more easily masquerade as someone who has access to the data. Related to this, you must consider level of access to your network and systems to third-parties like vendors or consultants. This way, if a breach does occur, the exposure will be limited because the sensitive data is effectively “walled” off.
6. Retain sufficient time-length of data and data logs. Often small and mid-sized businesses aren’t saving enough data because they’re underinvested in overall IT spending. They may keep network or system logs for three or perhaps six months only. Advanced malware attacks, by their very definition, take place over a period that often span many months to even a year, as recent cases have demonstrated. These advanced persistent threats (APTs) are long-running and consist of many different, seemingly unconnected pieces of malware. In order to paint a complete picture of how the attack evolved, you will need to rely on logs that span more than just a few months.
These six things that I have outlined also highlight a larger, overarching requirement: awareness. Being aware includes the recognition that, at some point, your business will likely be breached. If you’re involved in the ecosystem of today’s digital economy – whether you as an outsourcing element of a larger company, a small part of a healthcare provider network, or a boutique consulting firm servicing large clients – you are vulnerable. Just like the big guys.