Small Biz Security: Optimizing Your ResourcesHow growing businesses can make the most of their resources to build a strong security plan
By: Jeff Multz
I often see small businesses overlook cybersecurity protection, making them a prime target for attackers.
They're often attacked to gain access to their bank accounts and their Automated Clearing Houses (ACHs). Although your small business may not be able to afford to do everything in one year, below is a look at what you should be aiming for.
Knowledge of risk
Before you can make a decision on what to do to secure your network, you need to know all that is at risk. Your risks change as your network and company changes. For example, when you allow mobile devices to connect to the network and when the company uses third-party cloud applications, you must understand the inherent risks with each in order to mitigate them. Your company may have compliance requirements like those for the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Management Act (FISMA).
The risks for being out of compliance could include steep fines and loss of business. There's also the risk of liability for an attacker who breaches customer and employee data, and there's the risk that the business's private information could be lost. Many thieves have stolen companies' trade secrets and then created and marketed similar products at lower rates. Attackers often attack small businesses to obtain login credentials of a company's banking and Automated Clearing House (ACH) accounts to steal funds. As well as financial loss, there's the risk of harm to your company reputation. In a survey conducted late last year, almost two-thirds of consumers (64%) in the U.S., U.K., Australia, Brazil, France, Germany and Japan said they are unlikely to shop or do business again with a company that has lost financial information in a breach, according to UK technology market research group Vanson Bourne.
Web Application Scans
- A patch
- A new firewall policy
- A new web app firewall policy.
In addition to scanning your apps on your website, conducting a quarterly penetration test assesses your security controls on your routers and firewalls, software and any other devices that could be seen by a hacker scanning your network from outside its perimeters. A pen test shows you where vulnerabilities lie, what types of security controls could be bypassed and how much damage an attacker could do to your network.
Red Team Testing
After you have remediated vulnerabilities found in a pen test, it's time for an annual Red Team test. Whereas a penetration test exploits digital weaknesses found within the network and within applications, a Red Team test attempts to exploit weaknesses within an organization's digital, physical and wireless structures, as well as within its staff. As long as it does nothing that will harm a network, a Red Team will do whatever it can to break into a network. It may attempt to sneak into a company's office, break into its website, mobile applications, virtual private network (VPN) and wireless network. Team members might also conduct social engineering tactics, such as pretending to be someone they aren't to trick employees into divulging information. Once inside the network, the team delves as far as it can to discover its most valuable data, including financial information, client data and intellectual property.
In addition to elucidating weaknesses, the test shows an organization how quickly or slowly its security team recognizes the attacks and stops perpetrators before they discover valuable information. A good Red Team can almost always break into a network. The ultimate goal, however, is to teach an organization where it is failing and how it can tighten its defenses before and during future attacks.
You and Your Vendors
Most breaches these days are due to mistakes made by employees. They inadvertently share too much information on social media sites and trust people who send them emails containing malicious links and attachments, surreptitiously downloading malware onto their computers. Once a victim's computer is infected, the attacker may be able to gain access to any file in the network. Not only should you be sure your staff is well trained but also the staff of any vendor that has access to your network. Attackers often attack third-party vendors who have access to the network of companies that are the main target. Make certain your vendors' networks are at least as secure as yours. You and your vendors need to have your networks (on premises and in the cloud) and endpoints (laptops, servers and workstations) monitored 24x7x365. You and your vendors should practice ongoing vulnerability management to help control information security risks, giving you a continuous overview of vulnerabilities in your environment and the risks associated with them.
Computer Security Incident Response Plan
A Computer Security Incident Response Plan, or CSIRP, is the plan you turn to when the enemy strikes and you realize you've been hit. At that point, there's no time to wonder, "What do we do now?" With a well-conceived CSIRP that is rehearsed and updated annually, everyone involved in the plan will know exactly what to do. Those people involved in the plan need to be your IT team and your business leaders to help answer the following questions.
- If your network has been taken offline, what parts of the website need to be up and running first?
- Which people or what company will you call in case of a possible breach?
- What messages will you tell employees, customers, shareholders and the media?
- What team will you call upon to remediate the threat?
- If a server in one location goes down or is destroyed, what do you do to get that part of the network back up and running?
- How will you define the severity of an incident to create a plan?
A complete CSIRP should answer these questions and many more to help ensure you comply with legal, regulatory and industry requirements.
All this might seem like a lofty aim, but when your network is the target you need to aim high.