No Target Too Small: How Small Organizations Can Improve Their Security ProgramsAny organization can be compromised by ransomware and other security incidents, regardless of size. It is important to prioritize security, and outside resources can help when money and skills are limited. By: John Hollenberger, Incident Response
Many organizations underestimate their risk, assuming they wouldn’t be of interest to attackers. Too many times, Secureworks® incident responders hear the phrases, “We are small” or “We have nothing of value” or “Why would someone attack us?” When it comes to ransomware, no organization is off limits. An organization doesn’t need to sell sophisticated technology or protect national secrets. If they have even a little money, they can be targeted. Financially motivated threat actors just want to get paid.
It’s difficult for many organizations to prioritize security while focusing on day-to-day activities. As a former IT director for a small non-profit organization, I know the balance is particularly challenging for small businesses and non-profit organizations due to limited staff. But security can never be an afterthought. IT staff must ensure that the organization’s leadership understands the importance of security. Management support is critical for obtaining funds and resources to strengthen the organization’s security posture. One approach I used in my former position to increase awareness was creating a presentation that described weaknesses I knew about in the environment and highlighted security incidents at similar organizations.
While exploring other ways to maximize and supplement internal resources, I identified multiple options that can help small organizations that have limited budgets or technical staff:
- Educate employees about security threats — Phishing attacks are common, and users tend to be susceptible to social engineering. Reduce the risk by conducting training for employees at least annually. The National Institute of Standards and Technology (NIST) website lists numerous security awareness training resources. Stress the importance of immediately reporting suspicious activity and successful compromises to IT staff. Training some non-IT employees as “security ambassadors” who can help address basic questions and provide guidance about issues such as phishing emails can allow IT staff to focus on more critical issues.
- Consider volunteers or interns — Small businesses and non-profit organizations often have donors or other contacts who work in information security or information technology, or who know someone in those fields. Volunteers can be a great resource, but make sure to have them sign a non-disclosure agreement. Also, college students often seek internships to advance their education. These students could alleviate the burden on employees while gaining valuable work experience.
- Leverage free and low-cost training — The NIST website lists many free and low-cost cybersecurity learning resources. SANS also offers a few free Tech Tuesday workshops throughout the year.
- Join local security groups — Many cities have groups for people who are interested in cybersecurity. For U.S.-based organizations, is there a local Infragard or Security BSides? UK organizations may want to join the Cyber Security Information Sharing Partnership (CiSP). Build a network of trusted security experts that can provide guidance and support.
Security is not just the IT staff’s responsibility. All employees must take appropriate precautions and report suspicious activity. Threat actors often search for opportunities to exploit lax security controls and vulnerable systems, regardless of the organization’s size.
Secureworks offers many services that can help organizations of all sizes improve their security posture. Contact us to learn more about proactive services such as process evaluations and training. Our emergency incident response services can help victims following a ransomware or other security incident.