3- Step's: Cyber Security Preparations for Small and Medium Businesses
Business is rocking! You are hiring new people, bringing in new clients. Money is flowing in and things couldn't be better.
A few years ago this company was in it's infancy as a startup. A handful of employees, simplicity within its organization. Now just a few years later it has grown tremendously. You and your staff are building out organizational structure for Human Resources, Administration, Legal, Finance, Sale and Marketing and then...Technology.
Why is it that technology usually comes last?
It is an old paradigm within the world of how business is perceived. Similar to the pre-quantum revolution of the late 1800's when humanity believed that they knew just about everything and Newtonian Physics was staple in the paper.
If this latter example has shown us anything it is that we as humans tend to overestimate the structural integrity within our perceived paradigms. Eventually old paradigms are torn down and replaced with something that more resembles the evolutionary trend that came from decades of growth within society. I would even go out on a limb to say that any company, in existence today, no matter which industry, is a Technology company.
Understanding that you are a Technology company.
What the mobile phone and the internet have done to society is unparalleled in comparison to any other social-industrial revolution in the history of man. These two key technologies have integrated our society into a digital landscape of immersive communications, free flowing information exchange and a consolidation of knowledge to centralized locations.
With the advent of social media, digital marketing and web based tools, small businesses are now more prepared than ever before to compete with larger and enterprise level companies for a market share. As companies become more integrated with easy to use technologies and cloud based software platforms the level of responsibility for technology becomes drastically reduced. This arises from the mentality that these applications and platforms are external to your company and that you "pay" for the service of management and mitigation of liability.
Although this can't be any further from the truth. One of the top news stories today in the world of Cyber Security is that FedEx had an unsecured S3 bucket that held over 119,000 records of customers. This lack of responsibility in securing their S3 bucket has become one of the first data breaches of the new year. This comes after a 2017 data breach of US Intelligent agencies doing the same exact thing! You would assume that after the main stream media picked up the story of the US Government having an unsecured Amazon Web Services S3 Bucket that every company and organization out there would have went and reviewed their solutions to validate their level of security.
So why does this matter to you?
Firstly, you are a Technology company. Whether you realize it or not your company is highly integrated into technology. Every department has some critical technological facility that if it was taken away that department would panic or become crippled.
To name a few...
- Dropbox, Box, Google Drive, One Drive
- G-Suite, Office 365
- Facebook, Instagram, Twitter
- Sales Force, Zoho, Hubspot
Now I know what you are thinking, "If I lose access to my Facebook account, that is not the end of the world".
Although, let me take an educated guess right now and assume that your business Facebook page is connected to your personal account. You also have administrators on this page. One of the administrators is sent a funny message on Facebook proclaiming it is a video about them. They click the link, are instantly logged out and a new Facebook login page is opened up.
They simply put in their credentials only to have this new page say "Sorry, that was an incorrect password". They try again. Same conclusion. Before they know it, they are locked out of their Facebook account, your business page is now sending out the same "Click Me" scam links to all your followers. To add to the drama that will follow, your trusted social media manager uses the same password for everything! This means, that now this hacker can access your network and steal your data. Or even worse, place some simple Ransomware on your network and lock your business down.
All of this happened because you never realized that you were a Technology company and that you need to take more responsibility for the Technology that your company uses, manages and accesses.
Information Security Policy, Training and Awareness
An Information Security Policy is the foundation of security for your company. Without it, there is no direction, strategy and your company will lack that first layer of protection against a cyber incident. A policy will identify the rules, regulations, procedures and guidelines for every single person accessing your networks. It will set the ground work for the availability of resources and data at all levels of business. As a framework, it will identify your security posture, assign functions and responsibilities, grant authorities and provide all the procedures and guidelines that need to be taken into account in the advent of an incident.
An Information Security Policy is the backbone of how your company will manage and control the totality of it's digital workforce interactions.
Training and Awareness
There is nothing more important in a business than being informed with highly valuable information. The same is true for the world of cyber security. Human Beings thrive on being informed. By having an effective Security Policy in place, your business has taken the first steps to mitigating its cyber risk. Although, the next steps would be to implement a program for training your staff on those policies and bringing awareness to cyber threats and criminal tactics.
When it comes to training and awareness models for Cyber Security we can take many different approaches. Typically a measure of the companies size would determine the level of training that is needed. Although here are a few ideas that I would recommend to any company large or small.
Annual - Instructor Lead Training (ILT)
This type of training can be implemented either in a classroom or within a virtual environment. The level of employee engagement that occurs within this type of training cannot be matched. Instructors will go in depth and clearly explain how hackers and cyber criminals operate, why they do what they do, what tactics and techniques they use and most importantly how to defend against an attack and/or the steps to take during and after a cyber incident.
This type of training can be implemented in a variety of ways. Through a web portal, instructor lead and even taught by an internal IT department. Typically, the quarterly training is a refresher training on what was taught in the annual training. This type of refresher will reintroduce the concepts, tactics and techniques used in mitigating the companies cyber risk.
Daily Reminder's and Reinforcements
Having visual queues in the office that constantly remind your staff of their responsibility is of the utmost importance. This can be one of the determining factors when it comes to the security of your companies data and networks. Another example of a Daily Reminder would be to set up automatic email notifications that send out Cyber Security news, tips and reminders.
I know, anytime you hear someone say "Next-Generation Solutions" all that you think about is $$$. When you are growing your business it is incredibly difficult to budget for technology that you do not even know you need. Luckily, most Managed Security companies that will assist you in developing your cyber program will have methods for financing these solutions that makes them highly cost-effective.
Here are a few solutions my company has identified as must have's when growing your business.
A firewall is a physical or sometimes virtual device that sits at the front door of your network. It is the essential gatekeeper. It is the drawbridge of security that acts as a logical access point for your network and data. Strictly speaking, a firewall will only let in those who are allowed to be let in. Therefore, when contemplating the security of your company a Firewall is an incredible asset to mitigating cyber risk and reducing your exposure as low hanging fruit.
It is only after something happens do we wish we had taken the precautions so that it would not have happened in the first place. We are never going to be prepared for everything that could happen. Therefore any solution that can take your companies digital snapshot of data, content, images of critical systems, etc and store them in a safe place would be something of incredible value.
There are countless Disaster Recovery solutions out in the world. The better they are the more expensive they get. Although there is a medium ground of cost per value. Having a Disaster Recovery platform in place is a critical element to business continuity. It is your lifeline in the face of Ransomware. It is the beacon of hope after a massive casualty. Whether you choose a cloud based solution or something on premise the very fact of having a solution can mean all the difference in the event of a cyber incident.
End Point Protection
End point protection can be a wide range spectrum of software's and services that can be implemented within a business. For now, we will keep it simple and cost effective.
The basic level of end point protection that a business should have implemented is an extremely effective and high rated anti-virus, anti-malware software that actively monitors, accesses and eliminates threats. Software's like this use multiple tools like behavioral analytics, firewall integrations, content and web filters to name a few. They are usually very affordable, effective and easily integrated as a solution into your business.
The Security of your Business
Small and medium sized business are a target for cyber-criminals. The longer a business neglects their cyber security the greater the risk increases. Building your business up with some level of information security in mind will help to mitigate future risks as the potential for cyber crime increases around the world.
If you are in doubt as to where to start, contact a professional. Most Cyber Security companies will give free consultations.
"In a business, cyber security is everyone's responsibility."